Thanks for responding, Howard. Responses below.
Howard Chu wrote:
Your problem has nothing to do with alias dereferencing.
Yes, I have to agree now that I (think I) know more about how aliases work in OpenLDAP.
I can only obtain the expected results if I set the search base to the *specific* entry I'm looking to dereference:
And that is clearly not the case, in fact.
Your last search is not equivalent to your previous searches, because the last time you omitted the **SEARCH FILTER**.
Think about it.
I actually believe it is the case, but only because the behavior I'm expecting is not orthogonal to how aliases appear to work. Using FAQ-O-Matic entry #1111 as an example, searching without a filter just returns the aliased entry without any reference at all to the DN of the alias itself, which precludes me from being able to use the root of my DIT as the search base, search for the alias's DN, and having the attributes from the object to which it points returned. I suppose I will just have to look for another solution to satisfy this particular need, perhaps an auxiliary objectclass that will let me use a separate attribute for aesthetic display names. I'm certainly open to other suggestions if there is a more appropriate or fitting answer to this problem. For reference, what I'm after is something similar to the following behavior:
joe@ldap1:~# ldapsearch -x -ZZ -LLL -a always '(cn=Aliased Group Name)' member dn: cn=realgroupname,ou=Groups,dc=example,dc=com member: uid=john,ou=Users,dc=example,dc=com member: uid=jane,ou=Users,dc=example,dc=com member: uid=joe,ou=Users,dc=example,dc=com
Thanks for the advice/suggestions/cluebats!