Hi,

So I'm not really sure if this is a bug or a limitation. Or misconfiguration on my part. But If someone from Sysmas could clarify it. I'd appreciate it :D

if your app allows filter modification you can work around it by making an unnested filter like so:

ldapsearch -H ldap:/// -LLL -x -b 'dc=example,dc=com' '(&(uid=user1)(|(memberOf=cn=group1,ou=groups,dc=example,dc=com)(memberOf=cn=group2,ou=groups,dc=example,dc=com)))' uid

Thx


On Sun, Apr 10, 2022, 19:23 <erikdewaard@gmail.com> wrote:
Hi,

On openldap 2.5.11

I have some weird behavior with group in group searches using memberOf.

#Working
# ldapsearch -LLL -H ldap:// -x -b 'dc=example,dc=com' '(uid=user5)' memberOf
dn: uid=user5,ou=People,dc=example,dc=com
memberOf: cn=groupingroup,ou=groups,dc=example,dc=com

#Working
# ldapsearch -LLL -H ldap:// -x -b 'dc=example,dc=com' '(uid=user1)' memberOf
dn: uid=user1,ou=People,dc=example,dc=com
memberOf: cn=group1,ou=groups,dc=example,dc=com
memberOf: cn=groupingroup,ou=groups,dc=example,dc=com

Now the weird behavior part when querying if user1 is indeed a memberOf groupingroup
i sometimes get 0 results, need to query multiple times before i indeed get the correct answer.

# ldapsearch -H ldap:/// -LLL -x -b 'dc=example,dc=com' '(&(uid=user1)(|(memberOf=cn=groupingroup,ou=groups,dc=example,dc=com)))' uid
# ldapsearch -H ldap:/// -LLL -x -b 'dc=example,dc=com' '(&(uid=user1)(|(memberOf=cn=groupingroup,ou=groups,dc=example,dc=com)))' uid
# ldapsearch -H ldap:/// -LLL -x -b 'dc=example,dc=com' '(&(uid=user1)(|(memberOf=cn=groupingroup,ou=groups,dc=example,dc=com)))' uid
# ldapsearch -H ldap:/// -LLL -x -b 'dc=example,dc=com' '(&(uid=user1)(|(memberOf=cn=groupingroup,ou=groups,dc=example,dc=com)))' uid
dn: uid=user1,ou=People,dc=example,dc=com
uid: user1

user5 completely fell of the map.
# ldapsearch -H ldap:/// -LLL -x -b 'dc=example,dc=com' '(&(uid=user5)(|(memberOf=cn=groupingroup,ou=groups,dc=example,dc=com)))' uid

When querying memberOf groupingroup, it looks like its randomly returning just one group.

#only returning group2
# ldapsearch -H ldap:// -LLL -x -b 'dc=example,dc=com' "(memberOf=cn=groupingroup,ou=groups,dc=example,dc=com)" uid
dn: uid=user3,ou=People,dc=example,dc=com
uid: user3
dn: uid=user4,ou=People,dc=example,dc=com
uid: user4
dn: cn=group1,ou=Groups,dc=example,dc=com
dn: cn=group2,ou=Groups,dc=example,dc=com

#only returning group1
# ldapsearch -H ldap:// -LLL -x -b 'dc=example,dc=com' "(memberOf=cn=groupingroup,ou=groups,dc=example,dc=com)" uid
dn: uid=user1,ou=People,dc=example,dc=com
uid: user1
dn: uid=user2,ou=People,dc=example,dc=com
uid: user2
dn: cn=group1,ou=Groups,dc=example,dc=com
dn: cn=group2,ou=Groups,dc=example,dc=com

--conf
# stand-alone slapd config
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/rfc2307bis.schema
include /etc/openldap/schema/dyngroup.schema
# allow big PDUs from anonymous (for testing purposes)
sockbuf_max_incoming 4194303

moduleload back_ldap
moduleload dynlist

#######################################################################
# database definitions
#######################################################################
database config

database mdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
directory /var/lib/ldap
lastbind off
overlay dynlist
dynlist-attrset groupOfURLs memberURL uniqueMember+memberOf@groupOfUniqueNames*
database monitor
--conf

--data
dn: dc=example,dc=com
structuralObjectClass: domain
dc: example
objectClass: top
objectClass: domain

dn: ou=People,dc=example,dc=com
structuralObjectClass: organizationalUnit
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Groups,dc=example,dc=com
ou: Groups
structuralObjectClass: organizationalUnit
objectClass: organizationalUnit
objectClass: top

dn: uid=user1,ou=People,dc=example,dc=com
displayName: User 1
cn: User 1
loginShell: /bin/bash
uidNumber: 2001
gidNumber: 3000
homeDirectory: /home/user1
mail: user1@example.com
uid: user1
sn: user1
structuralObjectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount

dn: uid=user2,ou=People,dc=example,dc=com
displayName: User 2
cn: User 2
loginShell: /bin/bash
uidNumber: 2002
gidNumber: 3000
homeDirectory: /home/user2
mail: user2@example.com
uid: user2
sn: user2
structuralObjectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount

dn: uid=user3,ou=People,dc=example,dc=com
displayName: User 3
cn: User 3
loginShell: /bin/bash
uidNumber: 2003
gidNumber: 3000
homeDirectory: /home/user3
mail: user3@example.com
uid: user3
sn: user3
structuralObjectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount

dn: uid=user4,ou=People,dc=example,dc=com
displayName: User 4
cn: User 4
loginShell: /bin/bash
uidNumber: 2004
gidNumber: 3000
homeDirectory: /home/user4
mail: user4@example.com
uid: user4
sn: user4
structuralObjectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount

dn: uid=user5,ou=People,dc=example,dc=com
displayName: User 5
cn: User 5
loginShell: /bin/bash
uidNumber: 2005
gidNumber: 3000
homeDirectory: /home/user5
mail: user5@example.com
uid: user5
sn: user5
structuralObjectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount

dn: cn=group1,ou=Groups,dc=example,dc=com
cn: group1
gidNumber: 3001
objectClass: groupOfUniqueNames
objectClass: top
objectClass: posixGroup
ou: group1
structuralObjectClass: groupOfUniqueNames
uniqueMember: uid=user1,ou=People,dc=example,dc=com
uniqueMember: uid=user2,ou=People,dc=example,dc=com

dn: cn=group2,ou=Groups,dc=example,dc=com
cn: group2
gidNumber: 3002
objectClass: groupOfUniqueNames
objectClass: top
objectClass: posixGroup
ou: group2
structuralObjectClass: groupOfUniqueNames
uniqueMember: uid=user3,ou=People,dc=example,dc=com
uniqueMember: uid=user4,ou=People,dc=example,dc=com

dn: cn=groupingroup,ou=Groups,dc=example,dc=com
cn: groupingroup
gidNumber: 3003
objectClass: groupOfUniqueNames
objectClass: top
objectClass: posixGroup
ou: groupingroup
structuralObjectClass: groupOfUniqueNames
uniqueMember: uid=user5,ou=People,dc=example,dc=com
uniqueMember: cn=group1,ou=Groups,dc=example,dc=com
uniqueMember: cn=group2,ou=Groups,dc=example,dc=com