Hi Quanah, Quanah Gibson-Mount wrote: >> This is how filters work in LDAP. It sounds to me like things are >> working correctly. I.e., if I search for "objectClass=joe" objectClass, >> it will return every entry that has an objectClass value of joe, and all >> the values for objectClass. >> >> If I search for "(member=uid=user1,ou=users,dc=example,dc=com)", it will >> return to me every group that has a member attribute matching that value. >> >> I see nothing wrong in the behavior here, just in the understanding of >> how filters work. Let me know if you have further questions. > > To expand on this a little bit more: > > LDAP filters are used to limit the number of entries returned. They do > not limit attr=value pairs. > > Generally, with groups, the most common operation is the ldapcompare > operation. It lets you "ask" whether or not a given value is assigned > to an attribute in a specific entry. > > I.e., I can ask "Is uid=user1,ou=users,dc=example,dc=com a value for the > member attribute in the group cn=testgroup ou=Groups,dc=example,dc=com" > using the ldapcompare operation. It will answer one of three ways: > TRUE, FALSE, or UNDEFINED. > > <http://www.openldap.org/software/man.cgi?query=ldapcompare&apropos=0&sektion=0&manpath=OpenLDAP+2.4-Release&format=html> >
Ah, your responses have been most helpful, thank you! The ldapcompare operation might actually satisfy the end-goals I was hoping to achieve by returning the dn or uid explicitly. Cheers! Respectfully, Ryan