Hi, So I'm not really sure if this is a bug or a limitation. Or misconfiguration on my part. But If someone from Sysmas could clarify it. I'd appreciate it :D
if your app allows filter modification you can work around it by making an unnested filter like so: ldapsearch -H ldap:/// -LLL -x -b 'dc=example,dc=com' '(&(uid=user1)(|(memberOf=cn=group1,ou=groups,dc=example,dc=com)(memberOf=cn=group2,ou=groups,dc=example,dc=com)))' uid Thx On Sun, Apr 10, 2022, 19:23 <[email protected]> wrote: > Hi, > > On openldap 2.5.11 > > I have some weird behavior with group in group searches using memberOf. > > #Working > # ldapsearch -LLL -H ldap:// -x -b 'dc=example,dc=com' '(uid=user5)' > memberOf > dn: uid=user5,ou=People,dc=example,dc=com > memberOf: cn=groupingroup,ou=groups,dc=example,dc=com > > #Working > # ldapsearch -LLL -H ldap:// -x -b 'dc=example,dc=com' '(uid=user1)' > memberOf > dn: uid=user1,ou=People,dc=example,dc=com > memberOf: cn=group1,ou=groups,dc=example,dc=com > memberOf: cn=groupingroup,ou=groups,dc=example,dc=com > > Now the weird behavior part when querying if user1 is indeed a memberOf > groupingroup > i sometimes get 0 results, need to query multiple times before i indeed > get the correct answer. > > # ldapsearch -H ldap:/// -LLL -x -b 'dc=example,dc=com' > '(&(uid=user1)(|(memberOf=cn=groupingroup,ou=groups,dc=example,dc=com)))' > uid > # ldapsearch -H ldap:/// -LLL -x -b 'dc=example,dc=com' > '(&(uid=user1)(|(memberOf=cn=groupingroup,ou=groups,dc=example,dc=com)))' > uid > # ldapsearch -H ldap:/// -LLL -x -b 'dc=example,dc=com' > '(&(uid=user1)(|(memberOf=cn=groupingroup,ou=groups,dc=example,dc=com)))' > uid > # ldapsearch -H ldap:/// -LLL -x -b 'dc=example,dc=com' > '(&(uid=user1)(|(memberOf=cn=groupingroup,ou=groups,dc=example,dc=com)))' > uid > dn: uid=user1,ou=People,dc=example,dc=com > uid: user1 > > user5 completely fell of the map. > # ldapsearch -H ldap:/// -LLL -x -b 'dc=example,dc=com' > '(&(uid=user5)(|(memberOf=cn=groupingroup,ou=groups,dc=example,dc=com)))' > uid > > When querying memberOf groupingroup, it looks like its randomly returning > just one group. > > #only returning group2 > # ldapsearch -H ldap:// -LLL -x -b 'dc=example,dc=com' > "(memberOf=cn=groupingroup,ou=groups,dc=example,dc=com)" uid > dn: uid=user3,ou=People,dc=example,dc=com > uid: user3 > dn: uid=user4,ou=People,dc=example,dc=com > uid: user4 > dn: cn=group1,ou=Groups,dc=example,dc=com > dn: cn=group2,ou=Groups,dc=example,dc=com > > #only returning group1 > # ldapsearch -H ldap:// -LLL -x -b 'dc=example,dc=com' > "(memberOf=cn=groupingroup,ou=groups,dc=example,dc=com)" uid > dn: uid=user1,ou=People,dc=example,dc=com > uid: user1 > dn: uid=user2,ou=People,dc=example,dc=com > uid: user2 > dn: cn=group1,ou=Groups,dc=example,dc=com > dn: cn=group2,ou=Groups,dc=example,dc=com > > --conf > # stand-alone slapd config > include /etc/openldap/schema/core.schema > include /etc/openldap/schema/cosine.schema > include /etc/openldap/schema/inetorgperson.schema > include /etc/openldap/schema/rfc2307bis.schema > include /etc/openldap/schema/dyngroup.schema > # allow big PDUs from anonymous (for testing purposes) > sockbuf_max_incoming 4194303 > > moduleload back_ldap > moduleload dynlist > > ####################################################################### > # database definitions > ####################################################################### > database config > > database mdb > suffix "dc=example,dc=com" > rootdn "cn=Manager,dc=example,dc=com" > rootpw secret > directory /var/lib/ldap > lastbind off > overlay dynlist > dynlist-attrset groupOfURLs memberURL > uniqueMember+memberOf@groupOfUniqueNames* > database monitor > --conf > > --data > dn: dc=example,dc=com > structuralObjectClass: domain > dc: example > objectClass: top > objectClass: domain > > dn: ou=People,dc=example,dc=com > structuralObjectClass: organizationalUnit > ou: People > objectClass: top > objectClass: organizationalUnit > > dn: ou=Groups,dc=example,dc=com > ou: Groups > structuralObjectClass: organizationalUnit > objectClass: organizationalUnit > objectClass: top > > dn: uid=user1,ou=People,dc=example,dc=com > displayName: User 1 > cn: User 1 > loginShell: /bin/bash > uidNumber: 2001 > gidNumber: 3000 > homeDirectory: /home/user1 > mail: [email protected] > uid: user1 > sn: user1 > structuralObjectClass: inetOrgPerson > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: top > objectClass: shadowAccount > > dn: uid=user2,ou=People,dc=example,dc=com > displayName: User 2 > cn: User 2 > loginShell: /bin/bash > uidNumber: 2002 > gidNumber: 3000 > homeDirectory: /home/user2 > mail: [email protected] > uid: user2 > sn: user2 > structuralObjectClass: inetOrgPerson > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: top > objectClass: shadowAccount > > dn: uid=user3,ou=People,dc=example,dc=com > displayName: User 3 > cn: User 3 > loginShell: /bin/bash > uidNumber: 2003 > gidNumber: 3000 > homeDirectory: /home/user3 > mail: [email protected] > uid: user3 > sn: user3 > structuralObjectClass: inetOrgPerson > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: top > objectClass: shadowAccount > > dn: uid=user4,ou=People,dc=example,dc=com > displayName: User 4 > cn: User 4 > loginShell: /bin/bash > uidNumber: 2004 > gidNumber: 3000 > homeDirectory: /home/user4 > mail: [email protected] > uid: user4 > sn: user4 > structuralObjectClass: inetOrgPerson > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: top > objectClass: shadowAccount > > dn: uid=user5,ou=People,dc=example,dc=com > displayName: User 5 > cn: User 5 > loginShell: /bin/bash > uidNumber: 2005 > gidNumber: 3000 > homeDirectory: /home/user5 > mail: [email protected] > uid: user5 > sn: user5 > structuralObjectClass: inetOrgPerson > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: top > objectClass: shadowAccount > > dn: cn=group1,ou=Groups,dc=example,dc=com > cn: group1 > gidNumber: 3001 > objectClass: groupOfUniqueNames > objectClass: top > objectClass: posixGroup > ou: group1 > structuralObjectClass: groupOfUniqueNames > uniqueMember: uid=user1,ou=People,dc=example,dc=com > uniqueMember: uid=user2,ou=People,dc=example,dc=com > > dn: cn=group2,ou=Groups,dc=example,dc=com > cn: group2 > gidNumber: 3002 > objectClass: groupOfUniqueNames > objectClass: top > objectClass: posixGroup > ou: group2 > structuralObjectClass: groupOfUniqueNames > uniqueMember: uid=user3,ou=People,dc=example,dc=com > uniqueMember: uid=user4,ou=People,dc=example,dc=com > > dn: cn=groupingroup,ou=Groups,dc=example,dc=com > cn: groupingroup > gidNumber: 3003 > objectClass: groupOfUniqueNames > objectClass: top > objectClass: posixGroup > ou: groupingroup > structuralObjectClass: groupOfUniqueNames > uniqueMember: uid=user5,ou=People,dc=example,dc=com > uniqueMember: cn=group1,ou=Groups,dc=example,dc=com > uniqueMember: cn=group2,ou=Groups,dc=example,dc=com >
