https://bugs.openldap.org/show_bug.cgi?id=9402
--- Comment #2 from Vincent Danjean <[email protected]> --- Hi, It is very difficult to find documentation about dnSubtreeMatch. Based on what I read and try, it seems to allows one to match an entire subtree (i.e. all entries below a specific dn). I do not see how it relates to LDAP_MATCHING_RULE_IN_CHAIN but I would be very pleased to be wrong. My ldap database has nested groups. Here is a very small example: ldapsearch [options] '(|(uid=mylogin)(cn=g-mygroup)(cn=mymachine))' cn uid member memberof [...] # mylogin, people, Home, example.org dn: uid=mylogin,ou=people,ou=Home,dc=example,dc=org cn: My Login uid: mylogin memberOf: cn=mylogin,ou=groups,ou=Home,dc=example,dc=org memberOf: cn=g-mygroup,ou=groups,ou=UsersGroups,ou=ControlAccess,dc=example,dc=org [...] # g-mygroup, groups, UsersGroups, ControlAccess, example.org dn: cn=g-mygroup,ou=groups,ou=UsersGroups,ou=ControlAccess,dc=example,dc=org cn: g-mygroup member: uid=mylogin,ou=people,ou=Home,dc=example,dc=org memberOf: cn=mymachine,ou=groups,ou=Machines,ou=ControlAccess,dc=example,dc=org [...] # mymachine, groups, Machines, ControlAccess, example.org dn: cn=mymachine,ou=groups,ou=Machines,ou=ControlAccess,dc=example,dc=org cn: mymachine member: cn=g-mygroup,ou=groups,ou=UsersGroups,ou=ControlAccess,dc=example,dc=org [...] So mylogin is in group g-mygroup that itself is in group mymachine. Selecting users that (transitively) are in mymachine could be done with LDAP_MATCHING_RULE_IN_CHAIN with: ldapsearch [options] '(&(uid=mylogin)(memberOf:1.2.840.113556.1.4.1941:=cn=mymachine,ou=groups,ou=Machines,ou=ControlAccess,dc=example,dc=org))' And it will work *whatever the number of nested group there is* (there is probably a limit on the server). Is it possible to do the same with dnSubtreeMatch? I've read lots of question about managing nested groups with ldap. On internet, I only saw people telling about LDAP_MATCHING_RULE_IN_CHAIN when using MS software or people implementing the recursive research in software (ldap client side) when using openldap. If a solution based on dnSubtreeMatch exists, I would be very please (and also lots of other people). Regards, Vincent -- You are receiving this mail because: You are on the CC list for the issue.
