Hello,
Apologies if this isn't the appropriate list. Searched archives but didn't manage to find anything that seemed related…
This query does not return any results:
(|(&(objectClass=groupOfNames)(cn=Domain Users))(&(objectClass=inetorgperson)(cn=Domain Users))(&(objectClass=organization)(o=Domain Users)))
But, this query does:
(|(&(objectClass=groupOfNames)(cn=Domain Users))(&(objectClass=inetorgperson)(cn=Domain Users))(&(objectClass=organization)(cn=Domain Users)))
Since RFC 2256 defines organization as STRUCTURAL, with o as MUST, and does not associate cn at all, I'm stumped.
FYI, there exists a groupOfNames object with cn=Domain Users.
I guess, why would my organization (3rd) clause matter at all? Since the groupOfNames object satisfies the groupOfNames (1st) clause, I was expecting it to be returned regardless of whether the subsequent 2 clauses match anything.
And out of curiosity, this query fails:
(|(&(objectClass=groupOfNames)(cn=Domain Users))(&(objectClass=inetorgperson)(o=Domain Users))(&(objectClass=organization)(cn=Domain Users)))
My guess is that if a subsequent clause specifies an attribute that's not defined for an objectClass, the query fails even if the first clause is known to be good? If that's how things work, I can deal with that. But I just can't find any documentation that clarifies this (or I'm totally missing something super obvious!).
Can anyone explain this to me, or point me to some docs that I should go read? Is there a missing piece of info that I should mention? Any suggestions would be really, really appreciated!
Regards, - Matthew
--On Sunday, February 05, 2012 9:45 PM -0500 "Matthew M. DeLoera" mdeloera@exacq.com wrote:
Hello,
Apologies if this isn't the appropriate list. Searched archives but didn't manage to find anything that seemed related…
This query does not return any results:
(|(&(objectClass=groupOfNames)(cn=Domain Users))(&(objectClass=inetorgperson)(cn=Domain Users))(&(objectClass=organization)(o=Domain Users)))
My guess is that if a subsequent clause specifies an attribute that's not defined for an objectClass, the query fails even if the first clause is known to be good? If that's how things work, I can deal with that. But I just can't find any documentation that clarifies this (or I'm totally missing something super obvious!).
Definitely not the case, because this search works correctly for me:
ldapsearch -x -H ldap://zre-ldap001.eng.vmware.com -D "cn=config" -w zimbra "(&(objectClass=organizationalPerson)(zimbraMailStatus=enabled))" uid
obviously "zimbraMailStatus" is not a part of the organizationalPerson schema.
My guess would be in your case that ACLs are the issue, perhaps missing READ or SEARCH on the "o" attr, but having READ or SEARCH on the "cn" attr.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org