Hi,
So I'm not really sure if this is a bug or a limitation. Or misconfiguration on my part. But If someone from Sysmas could clarify it. I'd appreciate it :D
if your app allows filter modification you can work around it by making an unnested filter like so:
ldapsearch -H ldap:/// -LLL -x -b 'dc=example,dc=com' '(&(uid=user1)(|(memberOf=cn=group1,ou=groups,dc=example,dc=com)(memberOf=cn=group2,ou=groups,dc=example,dc=com)))' uid
Thx
On Sun, Apr 10, 2022, 19:23 erikdewaard@gmail.com wrote:
Hi,
On openldap 2.5.11
I have some weird behavior with group in group searches using memberOf.
#Working # ldapsearch -LLL -H ldap:// -x -b 'dc=example,dc=com' '(uid=user5)' memberOf dn: uid=user5,ou=People,dc=example,dc=com memberOf: cn=groupingroup,ou=groups,dc=example,dc=com
#Working # ldapsearch -LLL -H ldap:// -x -b 'dc=example,dc=com' '(uid=user1)' memberOf dn: uid=user1,ou=People,dc=example,dc=com memberOf: cn=group1,ou=groups,dc=example,dc=com memberOf: cn=groupingroup,ou=groups,dc=example,dc=com
Now the weird behavior part when querying if user1 is indeed a memberOf groupingroup i sometimes get 0 results, need to query multiple times before i indeed get the correct answer.
# ldapsearch -H ldap:/// -LLL -x -b 'dc=example,dc=com' '(&(uid=user1)(|(memberOf=cn=groupingroup,ou=groups,dc=example,dc=com)))' uid # ldapsearch -H ldap:/// -LLL -x -b 'dc=example,dc=com' '(&(uid=user1)(|(memberOf=cn=groupingroup,ou=groups,dc=example,dc=com)))' uid # ldapsearch -H ldap:/// -LLL -x -b 'dc=example,dc=com' '(&(uid=user1)(|(memberOf=cn=groupingroup,ou=groups,dc=example,dc=com)))' uid # ldapsearch -H ldap:/// -LLL -x -b 'dc=example,dc=com' '(&(uid=user1)(|(memberOf=cn=groupingroup,ou=groups,dc=example,dc=com)))' uid dn: uid=user1,ou=People,dc=example,dc=com uid: user1
user5 completely fell of the map. # ldapsearch -H ldap:/// -LLL -x -b 'dc=example,dc=com' '(&(uid=user5)(|(memberOf=cn=groupingroup,ou=groups,dc=example,dc=com)))' uid
When querying memberOf groupingroup, it looks like its randomly returning just one group.
#only returning group2 # ldapsearch -H ldap:// -LLL -x -b 'dc=example,dc=com' "(memberOf=cn=groupingroup,ou=groups,dc=example,dc=com)" uid dn: uid=user3,ou=People,dc=example,dc=com uid: user3 dn: uid=user4,ou=People,dc=example,dc=com uid: user4 dn: cn=group1,ou=Groups,dc=example,dc=com dn: cn=group2,ou=Groups,dc=example,dc=com
#only returning group1 # ldapsearch -H ldap:// -LLL -x -b 'dc=example,dc=com' "(memberOf=cn=groupingroup,ou=groups,dc=example,dc=com)" uid dn: uid=user1,ou=People,dc=example,dc=com uid: user1 dn: uid=user2,ou=People,dc=example,dc=com uid: user2 dn: cn=group1,ou=Groups,dc=example,dc=com dn: cn=group2,ou=Groups,dc=example,dc=com
--conf # stand-alone slapd config include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/rfc2307bis.schema include /etc/openldap/schema/dyngroup.schema # allow big PDUs from anonymous (for testing purposes) sockbuf_max_incoming 4194303
moduleload back_ldap moduleload dynlist
####################################################################### # database definitions ####################################################################### database config
database mdb suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" rootpw secret directory /var/lib/ldap lastbind off overlay dynlist dynlist-attrset groupOfURLs memberURL uniqueMember+memberOf@groupOfUniqueNames* database monitor --conf
--data dn: dc=example,dc=com structuralObjectClass: domain dc: example objectClass: top objectClass: domain
dn: ou=People,dc=example,dc=com structuralObjectClass: organizationalUnit ou: People objectClass: top objectClass: organizationalUnit
dn: ou=Groups,dc=example,dc=com ou: Groups structuralObjectClass: organizationalUnit objectClass: organizationalUnit objectClass: top
dn: uid=user1,ou=People,dc=example,dc=com displayName: User 1 cn: User 1 loginShell: /bin/bash uidNumber: 2001 gidNumber: 3000 homeDirectory: /home/user1 mail: user1@example.com uid: user1 sn: user1 structuralObjectClass: inetOrgPerson objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount
dn: uid=user2,ou=People,dc=example,dc=com displayName: User 2 cn: User 2 loginShell: /bin/bash uidNumber: 2002 gidNumber: 3000 homeDirectory: /home/user2 mail: user2@example.com uid: user2 sn: user2 structuralObjectClass: inetOrgPerson objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount
dn: uid=user3,ou=People,dc=example,dc=com displayName: User 3 cn: User 3 loginShell: /bin/bash uidNumber: 2003 gidNumber: 3000 homeDirectory: /home/user3 mail: user3@example.com uid: user3 sn: user3 structuralObjectClass: inetOrgPerson objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount
dn: uid=user4,ou=People,dc=example,dc=com displayName: User 4 cn: User 4 loginShell: /bin/bash uidNumber: 2004 gidNumber: 3000 homeDirectory: /home/user4 mail: user4@example.com uid: user4 sn: user4 structuralObjectClass: inetOrgPerson objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount
dn: uid=user5,ou=People,dc=example,dc=com displayName: User 5 cn: User 5 loginShell: /bin/bash uidNumber: 2005 gidNumber: 3000 homeDirectory: /home/user5 mail: user5@example.com uid: user5 sn: user5 structuralObjectClass: inetOrgPerson objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount
dn: cn=group1,ou=Groups,dc=example,dc=com cn: group1 gidNumber: 3001 objectClass: groupOfUniqueNames objectClass: top objectClass: posixGroup ou: group1 structuralObjectClass: groupOfUniqueNames uniqueMember: uid=user1,ou=People,dc=example,dc=com uniqueMember: uid=user2,ou=People,dc=example,dc=com
dn: cn=group2,ou=Groups,dc=example,dc=com cn: group2 gidNumber: 3002 objectClass: groupOfUniqueNames objectClass: top objectClass: posixGroup ou: group2 structuralObjectClass: groupOfUniqueNames uniqueMember: uid=user3,ou=People,dc=example,dc=com uniqueMember: uid=user4,ou=People,dc=example,dc=com
dn: cn=groupingroup,ou=Groups,dc=example,dc=com cn: groupingroup gidNumber: 3003 objectClass: groupOfUniqueNames objectClass: top objectClass: posixGroup ou: groupingroup structuralObjectClass: groupOfUniqueNames uniqueMember: uid=user5,ou=People,dc=example,dc=com uniqueMember: cn=group1,ou=Groups,dc=example,dc=com uniqueMember: cn=group2,ou=Groups,dc=example,dc=com