6:45 a.m.
Hi all. Im having hard time triyng to figure out what is wrong with this
ldap query:
Im triyng to filter a specific user inside a specific group. Like this
/usr/bin/ldapsearch -x -D ".." -w..
-b "o=Work"
"(&(uniquemember=uid=gherzig,ou=People,o=Work)
(memberof=cn=MailUsers,ou=Groups,o=Work))"
It gets no results, but if i remove the memberof part, it works good.
"(&(uniquemember=uid=gherzig,ou=People,o=Work))" as a filter gives me
all the entries that users is in.
What is wrong?
BTW specifiyng a different basesearch is not an option, i need that base
as it is.
Thanks!!
Gerardo
7:58 a.m.
Hi all. Im having hard time triyng to figure out what is wrong with
this
ldap query:
Im triyng to filter a specific user inside a specific group. Like this
/usr/bin/ldapsearch -x -D ".." -w..
-b "o=Work"
"(&(uniquemember=uid=gherzig,ou=People,o=Work)
(memberof=cn=MailUsers,ou=Groups,o=Work))"
It gets no results, but if i remove the memberof part, it works good.
"(&(uniquemember=uid=gherzig,ou=People,o=Work))" as a filter gives me
all the entries that users is in.
What is wrong?
BTW specifiyng a different basesearch is not an option, i need that base
as it is.
There may be many causes; typically:
- the client's identity does not have search access on memberOf
- memberOf is not defined in schema, and the filter is undefined
Check the server's logs for hints. If "stats" does not suffice, add
"acl"
and "trace".
p.
8:34 a.m.
Hello,
your filter correctly doesn't return any result: First part fits for
groups, second part fits for persons.
Probably there is no entry in your directory beeing both person AND
group ...
Regards, Jochen.
Am 11.08.2011 16:58, schrieb masarati(a)aero.polimi.it:
> Hi all. Im having hard time triyng to figure out what is wrong
with this
> ldap query:
>
> Im triyng to filter a specific user inside a specific group. Like this
> /usr/bin/ldapsearch -x -D ".." -w..
> -b "o=Work"
> "(&(uniquemember=uid=gherzig,ou=People,o=Work)
> (memberof=cn=MailUsers,ou=Groups,o=Work))"
>
> It gets no results, but if i remove the memberof part, it works good.
> "(&(uniquemember=uid=gherzig,ou=People,o=Work))" as a filter gives me
> all the entries that users is in.
>
> What is wrong?
> BTW specifiyng a different basesearch is not an option, i need that base
> as it is.
There may be many causes; typically:
- the client's identity does not have search access on memberOf
- memberOf is not defined in schema, and the filter is undefined
Check the server's logs for hints. If "stats" does not suffice, add
"acl"
and "trace".
p.
11:14 a.m.
El jue, 11-08-2011 a las 17:34 +0200, Keutel, Jochen (mlists) escribió:
Hello,
your filter correctly doesn't return any result: First part fits for
groups, second part fits for persons.
Probably there is no entry in your directory beeing both person AND
group ...
Regards, Jochen.
Am 11.08.2011 16:58, schrieb masarati(a)aero.polimi.it:
>> Hi all. Im having hard time triyng to figure out what is wrong with this
>> ldap query:
>>
>> Im triyng to filter a specific user inside a specific group. Like this
>> /usr/bin/ldapsearch -x -D ".." -w..
>> -b "o=Work"
>> "(&(uniquemember=uid=gherzig,ou=People,o=Work)
>> (memberof=cn=MailUsers,ou=Groups,o=Work))"
>>
>> It gets no results, but if i remove the memberof part, it works good.
>> "(&(uniquemember=uid=gherzig,ou=People,o=Work))" as a filter gives
me
>> all the entries that users is in.
Anybody agree on this? Im confusing the filter's usage? Any hints on how
to verify if it belongs to the People group and it is an entry on the
MailUser GroupOfUniqueNames?
Thanks all.
Gerardo
11:10 a.m.
El jue, 11-08-2011 a las 16:58 +0200, masarati(a)aero.polimi.it escribió:
> Hi all. Im having hard time triyng to figure out what is wrong
with this
> ldap query:
>
> Im triyng to filter a specific user inside a specific group. Like this
> /usr/bin/ldapsearch -x -D ".." -w..
> -b "o=Work"
> "(&(uniquemember=uid=gherzig,ou=People,o=Work)
> (memberof=cn=MailUsers,ou=Groups,o=Work))"
>
> It gets no results, but if i remove the memberof part, it works good.
> "(&(uniquemember=uid=gherzig,ou=People,o=Work))" as a filter gives me
> all the entries that users is in.
>
> What is wrong?
> BTW specifiyng a different basesearch is not an option, i need that base
> as it is.
There may be many causes; typically:
- the client's identity does not have search access on memberOf
- memberOf is not defined in schema, and the filter is undefined
Check the server's logs for hints. If "stats" does not suffice, add
"acl"
and "trace".
p.
Thanks for your time.
I have a preety default conf:
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to attrs=userPassword,uid,cn
by self write
by * read
access to attrs=shadowLastChange
by self write
by * read
access to *
by * search
(Besides, im binding with the rootDN)
And after executing ldapsearch, this appears in the logs
Aug 12 14:55:44 inca slapd[28386]: conn=1005 fd=17 ACCEPT from
IP=[::1]:55027 (IP=[::]:389)
Aug 12 14:55:44 inca slapd[28386]: conn=1005 op=0 BIND
dn="cn=Manager,..." method=128
Aug 12 14:55:44 inca slapd[28386]: conn=1005 op=0 BIND
dn="cn=Manager,o=Work" mech=SIMPLE ssf=0
Aug 12 14:55:44 inca slapd[28386]: conn=1005 op=0 RESULT tag=97 err=0
text=
Aug 12 14:55:44 inca slapd[28386]: conn=1005 op=1 SRCH base="o=Work"
scope=2 deref=0
filter="(&(&(memberOf=cn=MailUsers,ou=groups,o=Work)(uniqueMember=uid=gherzig,ou=people,o=Work)))"
Aug 12 14:55:44 inca slapd[28386]: <= bdb_equality_candidates:
(memberOf) not indexed
Aug 12 14:55:44 inca slapd[28386]: <= bdb_equality_candidates:
(uniqueMember) not indexed
Aug 12 14:55:48 inca slapd[28386]: conn=1005 op=2 UNBIND
Aug 12 14:55:48 inca slapd[28386]: conn=1005 op=1 SEARCH RESULT tag=101
err=0 nentries=0 text=
Aug 12 14:55:48 inca slapd[28386]: conn=1005 fd=17 closed
Any other hints?
Thanks again.
Gerardo
12:37 p.m.
--On Friday, August 12, 2011 3:10 PM -0300 Gerardo Herzig
<gherzig(a)fmed.uba.ar> wrote:
filter="(&(&(memberOf=cn=MailUsers,ou=groups,o=Work)(uniqueMember=uid=ghe
rzig,ou=people,o=Work)))" Aug 12 14:55:44 inca slapd[28386]: <=
This filter looks wrong.
Also, are you 100% certain that you have an entry that contains both:
uniqueMember=uid=gherzig,ou=people,o=Work
AND
memberOf=cn=MailUsers,ou=groups,o=Work
?
uniqueMember is usually an attribute in a group, where memberOf is usually
an attribute in a user entry. So it would generally be odd to have them
both in the same entry.
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
11:58 a.m.
El vie, 12-08-2011 a las 12:37 -0700, Quanah Gibson-Mount escribió:
--On Friday, August 12, 2011 3:10 PM -0300 Gerardo Herzig
<gherzig(a)fmed.uba.ar> wrote:
>
filter="(&(&(memberOf=cn=MailUsers,ou=groups,o=Work)(uniqueMember=uid=ghe
> rzig,ou=people,o=Work)))" Aug 12 14:55:44 inca slapd[28386]: <=
This filter looks wrong.
Also, are you 100% certain that you have an entry that contains both:
uniqueMember=uid=gherzig,ou=people,o=Work
AND
memberOf=cn=MailUsers,ou=groups,o=Work
?
uniqueMember is usually an attribute in a group, where memberOf is usually
an attribute in a user entry. So it would generally be odd to have them
both in the same entry.
Thanks Quanah for your reply: Yes, it looks like im having the wrong
idea:
I 'just' need to check if a user have an entry at the People group
(where the password is), and *also* if that user belongs to the
MailUsers group (which contains the users able to use the mail system).
BTW, im just playing with ldapsearch now, but this is intented to be a
validation filter for a Zimbra instalation.
Thanks again!
Gerardo
12:58 p.m.
--On Friday, August 12, 2011 3:58 PM -0300 Gerardo Herzig
<gherzig(a)fmed.uba.ar> wrote:
Thanks Quanah for your reply: Yes, it looks like im having the wrong
idea:
I 'just' need to check if a user have an entry at the People group
(where the password is), and *also* if that user belongs to the
MailUsers group (which contains the users able to use the mail system).
BTW, im just playing with ldapsearch now, but this is intented to be a
validation filter for a Zimbra instalation.
Then I think I would expect a filter of something like:
(&(uid=gherzig)(memberOf=cn=MailUsers,ou=groups,o=Work)) with a base of
"ou=people,o=work"
I.e., it would validate that there is an entry with uid "gherzig" in the
person tree, and that the entry is a memberof the cn=mailusers group.
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
3821
days inactive
3822
days old
openldap-technical@openldap.org
7 comments
4 participants
participants (4)
-
Gerardo Herzig -
Keutel, Jochen (mlists) -
masarati@aero.polimi.it -
Quanah Gibson-Mount