Hi,

Consider following simple dynlist config (v2.5.13):

groupOfURLs labeledURI uniqueMember+memberOf@groupOfUniqueNames

So for static groups we get a dynamic memberOf for each user that is a member of some static group, for example:

DN: cn=TouK,ou=TouK,ou=Group,dc=touk,dc=pl ... uniqueMember: cn=Michał Sołtys,ou=Touki,ou=People,dc=touk,dc=pl

DN: cn=Michał Sołtys,ou=Touki,ou=People,dc=touk,dc=pl ... memberOf: cn=touk,ou=touk,ou=group,dc=touk,dc=pl

Now this works fine if we bind with a user and do a search. But if we do an anonymous search no memberOf is returned or searchable by. For example:

assume following ACLs at the top:

{0}to * by dn=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break {1}to dn.subtree=ou=People,dc=touk,dc=pl attrs=entry,entryUUID,memberOf,@toukAnonAccess by anonymous =scr by * break {2}to dn.subtree=ou=Group,dc=touk,dc=pl attrs=entry,@groupOfUniqueNames,@groupOfNames by anonymous =scr by * break ...

and the following search:

ldapsearch -x -H ldaps://ldap.touk.pl -s sub -b 'ou=Touki,ou=People,dc=touk,dc=pl' -o ldif-wrap=no -LLL -v memberOf entryUUID

we get the following results:

ldap_initialize( ldaps://ldap.touk.pl:636/??base ) filter: (objectclass=*) requesting: memberOf entryUUID dn: ou=Touki,ou=People,dc=touk,dc=pl entryUUID: 6be7e4f8-a800-103a-9fd7-3100241d53c2

dn: cn=Jan Gajl,ou=Touki,ou=People,dc=touk,dc=pl entryUUID: 6c39df1a-a800-103a-8089-3100241d53c2

Why is memberOf omitted with anonymous binds when search explicitly (or implicitly via +) requests it and acls grant required rights ? With explicit binds or EXTERNAL - memberOf is returned (and searchable) correctly.

Is there something else that is required for memberOf to work with anonymous binds ?