Hi all. Im having hard time triyng to figure out what is wrong with this ldap query:
Im triyng to filter a specific user inside a specific group. Like this /usr/bin/ldapsearch -x -D ".." -w.. -b "o=Work" "(&(uniquemember=uid=gherzig,ou=People,o=Work) (memberof=cn=MailUsers,ou=Groups,o=Work))"
It gets no results, but if i remove the memberof part, it works good. "(&(uniquemember=uid=gherzig,ou=People,o=Work))" as a filter gives me all the entries that users is in.
What is wrong? BTW specifiyng a different basesearch is not an option, i need that base as it is.
Thanks!! Gerardo
Hi all. Im having hard time triyng to figure out what is wrong with this ldap query:
Im triyng to filter a specific user inside a specific group. Like this /usr/bin/ldapsearch -x -D ".." -w.. -b "o=Work" "(&(uniquemember=uid=gherzig,ou=People,o=Work) (memberof=cn=MailUsers,ou=Groups,o=Work))"
It gets no results, but if i remove the memberof part, it works good. "(&(uniquemember=uid=gherzig,ou=People,o=Work))" as a filter gives me all the entries that users is in.
What is wrong? BTW specifiyng a different basesearch is not an option, i need that base as it is.
There may be many causes; typically:
- the client's identity does not have search access on memberOf
- memberOf is not defined in schema, and the filter is undefined
Check the server's logs for hints. If "stats" does not suffice, add "acl" and "trace".
p.
Hello, your filter correctly doesn't return any result: First part fits for groups, second part fits for persons. Probably there is no entry in your directory beeing both person AND group ...
Regards, Jochen.
Am 11.08.2011 16:58, schrieb masarati@aero.polimi.it:
Hi all. Im having hard time triyng to figure out what is wrong with this ldap query:
Im triyng to filter a specific user inside a specific group. Like this /usr/bin/ldapsearch -x -D ".." -w.. -b "o=Work" "(&(uniquemember=uid=gherzig,ou=People,o=Work) (memberof=cn=MailUsers,ou=Groups,o=Work))"
It gets no results, but if i remove the memberof part, it works good. "(&(uniquemember=uid=gherzig,ou=People,o=Work))" as a filter gives me all the entries that users is in.
What is wrong? BTW specifiyng a different basesearch is not an option, i need that base as it is.
There may be many causes; typically:
the client's identity does not have search access on memberOf
memberOf is not defined in schema, and the filter is undefined
Check the server's logs for hints. If "stats" does not suffice, add "acl" and "trace".
p.
El jue, 11-08-2011 a las 17:34 +0200, Keutel, Jochen (mlists) escribió:
Hello, your filter correctly doesn't return any result: First part fits for groups, second part fits for persons. Probably there is no entry in your directory beeing both person AND group ...
Regards, Jochen.
Am 11.08.2011 16:58, schrieb masarati@aero.polimi.it:
Hi all. Im having hard time triyng to figure out what is wrong with this ldap query:
Im triyng to filter a specific user inside a specific group. Like this /usr/bin/ldapsearch -x -D ".." -w.. -b "o=Work" "(&(uniquemember=uid=gherzig,ou=People,o=Work) (memberof=cn=MailUsers,ou=Groups,o=Work))"
It gets no results, but if i remove the memberof part, it works good. "(&(uniquemember=uid=gherzig,ou=People,o=Work))" as a filter gives me all the entries that users is in.
Anybody agree on this? Im confusing the filter's usage? Any hints on how to verify if it belongs to the People group and it is an entry on the MailUser GroupOfUniqueNames?
Thanks all. Gerardo
El jue, 11-08-2011 a las 16:58 +0200, masarati@aero.polimi.it escribió:
Hi all. Im having hard time triyng to figure out what is wrong with this ldap query:
Im triyng to filter a specific user inside a specific group. Like this /usr/bin/ldapsearch -x -D ".." -w.. -b "o=Work" "(&(uniquemember=uid=gherzig,ou=People,o=Work) (memberof=cn=MailUsers,ou=Groups,o=Work))"
It gets no results, but if i remove the memberof part, it works good. "(&(uniquemember=uid=gherzig,ou=People,o=Work))" as a filter gives me all the entries that users is in.
What is wrong? BTW specifiyng a different basesearch is not an option, i need that base as it is.
There may be many causes; typically:
the client's identity does not have search access on memberOf
memberOf is not defined in schema, and the filter is undefined
Check the server's logs for hints. If "stats" does not suffice, add "acl" and "trace".
p.
Thanks for your time. I have a preety default conf:
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to attrs=userPassword,uid,cn by self write by * read
access to attrs=shadowLastChange by self write by * read
access to * by * search
(Besides, im binding with the rootDN)
And after executing ldapsearch, this appears in the logs
Aug 12 14:55:44 inca slapd[28386]: conn=1005 fd=17 ACCEPT from IP=[::1]:55027 (IP=[::]:389) Aug 12 14:55:44 inca slapd[28386]: conn=1005 op=0 BIND dn="cn=Manager,..." method=128 Aug 12 14:55:44 inca slapd[28386]: conn=1005 op=0 BIND dn="cn=Manager,o=Work" mech=SIMPLE ssf=0 Aug 12 14:55:44 inca slapd[28386]: conn=1005 op=0 RESULT tag=97 err=0 text= Aug 12 14:55:44 inca slapd[28386]: conn=1005 op=1 SRCH base="o=Work" scope=2 deref=0 filter="(&(&(memberOf=cn=MailUsers,ou=groups,o=Work)(uniqueMember=uid=gherzig,ou=people,o=Work)))" Aug 12 14:55:44 inca slapd[28386]: <= bdb_equality_candidates: (memberOf) not indexed Aug 12 14:55:44 inca slapd[28386]: <= bdb_equality_candidates: (uniqueMember) not indexed Aug 12 14:55:48 inca slapd[28386]: conn=1005 op=2 UNBIND Aug 12 14:55:48 inca slapd[28386]: conn=1005 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= Aug 12 14:55:48 inca slapd[28386]: conn=1005 fd=17 closed
Any other hints?
Thanks again. Gerardo
--On Friday, August 12, 2011 3:10 PM -0300 Gerardo Herzig gherzig@fmed.uba.ar wrote:
filter="(&(&(memberOf=cn=MailUsers,ou=groups,o=Work)(uniqueMember=uid=ghe rzig,ou=people,o=Work)))" Aug 12 14:55:44 inca slapd[28386]: <=
This filter looks wrong.
Also, are you 100% certain that you have an entry that contains both:
uniqueMember=uid=gherzig,ou=people,o=Work
AND
memberOf=cn=MailUsers,ou=groups,o=Work
?
uniqueMember is usually an attribute in a group, where memberOf is usually an attribute in a user entry. So it would generally be odd to have them both in the same entry.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
El vie, 12-08-2011 a las 12:37 -0700, Quanah Gibson-Mount escribió:
--On Friday, August 12, 2011 3:10 PM -0300 Gerardo Herzig gherzig@fmed.uba.ar wrote:
filter="(&(&(memberOf=cn=MailUsers,ou=groups,o=Work)(uniqueMember=uid=ghe rzig,ou=people,o=Work)))" Aug 12 14:55:44 inca slapd[28386]: <=
This filter looks wrong.
Also, are you 100% certain that you have an entry that contains both:
uniqueMember=uid=gherzig,ou=people,o=Work
AND
memberOf=cn=MailUsers,ou=groups,o=Work
?
uniqueMember is usually an attribute in a group, where memberOf is usually an attribute in a user entry. So it would generally be odd to have them both in the same entry.
Thanks Quanah for your reply: Yes, it looks like im having the wrong idea:
I 'just' need to check if a user have an entry at the People group (where the password is), and *also* if that user belongs to the MailUsers group (which contains the users able to use the mail system).
BTW, im just playing with ldapsearch now, but this is intented to be a validation filter for a Zimbra instalation.
Thanks again! Gerardo
--On Friday, August 12, 2011 3:58 PM -0300 Gerardo Herzig gherzig@fmed.uba.ar wrote:
Thanks Quanah for your reply: Yes, it looks like im having the wrong idea:
I 'just' need to check if a user have an entry at the People group (where the password is), and *also* if that user belongs to the MailUsers group (which contains the users able to use the mail system).
BTW, im just playing with ldapsearch now, but this is intented to be a validation filter for a Zimbra instalation.
Then I think I would expect a filter of something like:
(&(uid=gherzig)(memberOf=cn=MailUsers,ou=groups,o=Work)) with a base of "ou=people,o=work"
I.e., it would validate that there is an entry with uid "gherzig" in the person tree, and that the entry is a memberof the cn=mailusers group.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Gerardo Herzig -
Keutel, Jochen (mlists) -
masarati@aero.polimi.it -
Quanah Gibson-Mount