Using slapd 2.5 with dynlist to generate memberof. We use sssd ldap provider with ldap_user_search_filter parameter and memberof filter and only the user which are memberof=XY are in the sssd cache. So it works as expected, since slapd 2.5 We use ldapsearch with memberof filter and it works as expected, since slapd 2.5 Iam trying out some webapps, configure the ldap filter and iam wondering because the filter with the memberof attribute will be transmitted to slapd but there is no search result in the slapd.log. If i copy the webapp ldap filter from the slapd log and try it out with ldapsearch on the webapp server i get search results. Could somebody clearify me ?

Am 24.11.22 um 02:14 schrieb Howard Chu: > andreas.ladanyi(a)kit.edu wrote: >> Using slapd 2.5 with dynlist to generate memberof. >> >> We use sssd ldap provider with ldap_user_search_filter parameter and memberof filter and only the user which are memberof=XY are in the sssd cache. So it >> works as expected, since slapd 2.5 >> >> We use ldapsearch with memberof filter and it works as expected, since slapd 2.5 >> >> Iam trying out some webapps, configure the ldap filter and iam wondering because the filter with the memberof attribute will be transmitted to slapd but >> there is no search result in the slapd.log. If i copy the webapp ldap filter from the slapd log and try it out with ldapsearch on the webapp server i get >> search results. >> >> Could somebody clearify me ? >> > Read the slapo-dynlist(5) manpage, especially the note about the manageDSAit control. Then check the slapd packet trace and see what > controls the webapp is sending with the search request. About the controls: Wireshark told me the managedsait control is not sent by the webapp ldap client and not by the ldapsearch (without -M). I never used -M. The webapp sends the control "pageresultcontrol" , size 500 to slapd. The slapd response back to the client "pageresultcontrol" size 0.