I'm trying to implement some aliases for several groups in my directory to provide a bit of aesthetics for a few applications that leverage the OpenLDAP users and groups. However, I seem to be running in to a little trouble, perhaps because I'm expecting alias dereferencing to do something it wasn't really designed to do. For reference, this is 2.4.21, but I was able to test on a 2.4.23 database with the same results. I'm using the autogroup module as well for some pseudo-static dynamic groups. Consider the following basic DIT and abbreviated set of entries (abbreviated entries denoted by '...'):
dn: dc=example,dc=com
dn: ou=Users,dc=example,dc=com
dn: ou=Groups,dc=example,dc=com
dn: uid=john,ou=Users,dc=example,dc=com objectClass: examplecomEmployee departmentName: sysadmins ...
dn: uid=jane,ou=Users,dc=example,dc=com objectClass: examplecomEmployee departmentName: sysadmins ...
dn: uid=joe,ou=Users,dc=example,dc=com objectClass: examplecomEmployee departmentName: sysadmins ...
dn: cn=sysadmins,ou=Groups,dc=example,dc=com objectClass: top objectClass: groupOfURLs objectClass: posixGroup memberURL: ldap:///ou=Users,dc=example,dc=com?dn?sub?(&(objectClass=examplecomEmployee)(departmentName=sysadmins)) member: uid=john,ou=Users,dc=example,dc=com member: uid=jane,ou=Users,dc=example,dc=com member: uid=joe,ou=Users,dc=example,dc=com ...
dn: cn=Systems Administrators,ou=Groups,dc=example,dc=com ou: Groups cn: Systems Admins objectClass: alias objectClass: extensibleObject aliasedObjectName: cn=sysadmins,ou=Groups,dc=example,dc=com
When I initiate an ldapsearch and choose not to dereference, I see what I expect:
joe@ldap1:~# ldapsearch -x -ZZ -LLL -a never -b dc=example,dc=com cn=Systems\ Administrators dn: cn=Systems Administrators,ou=Groups,dc=example,dc=com ou: Groups objectClass: alias objectClass: extensibleObject aliasedObjectName: cn=sysadmins,ou=Groups,dc=example,dc=com cn: Systems Administrators
However, when I do choose to dereference, nothing is returned:
joe@ldap1:~# ldapsearch -x -ZZ -LLL -a find -b dc=example,dc=com cn=Systems\ Administrators joe@ldap1:~#
joe@ldap1:~# ldapsearch -x -ZZ -LLL -a always -b dc=example,dc=com cn=Systems\ Administrators joe@ldap1:~#
I can only obtain the expected results if I set the search base to the *specific* entry I'm looking to dereference:
joe@ldap1:~# ldapsearch -x -ZZ -LLL -a always -b cn=Systems\ Administrators,ou=Groups,dc=example,dc=com dn: cn=sysadmins,ou=Groups,dc=example,dc=com ou: Groups gidNumber: 4001 cn: sysadmins objectClass: groupOfURLs objectClass: top objectClass: posixGroup description: The sysadmin team members memberURL: ldap:///ou=Users,dc=example,dc=com?dn?sub?(&(objectClass=examplecomE mployee)(departmentName=sysadmins)) member: uid=john,ou=Users,dc=example,dc=com member: uid=jane,ou=Users,dc=example,dc=com member: uid=joe,ou=Users,dc=example,dc=com
I find it hard to believe that setting the search base to the alias entry is the only way which one may reference the alias entry - I can't see many cases in which it would be useful to set the search base to something other than the highest part of the tree under which all the other entries you'd like to view are accessible. Essentially, I just want to be able to search for the more aesthetically named entry (cn=Systems Administrators) without having to explicitly set it as the search base, and have it return the entry specified by its aliasedObjectName. Is this possible, and if so, how? If not, what is the recommended approach to achieving this goal, other than perhaps setting an attribute from an AUXILIARY objectClass or similar? I don't really consider creating the entries with the more aesthetic names from the get-go as an option, because dealing with POSIX groups that have spaces in them is a pain, and not everything plays nice with such naming schemes. Thanks for any/all advice.