slapi-nis

Clone

#49 After update to 0.60.0-1.el7_9.x86_64 from slapi-nis-0.56.5-3.el7_9.x86_64 query's for nested groups don't work anymore
Opened 2 years ago by mcbrown90. Modified 2 years ago

Open
Close Issue

After the update from slapi-nis-0.56.5 to 0.60.0 the result of an LDAP query with nested groups is different:

On version 0.56:

[root@server ~]# ldapsearch -x -b "dc=tst,dc=dcn,dc=REDACTED,dc=net"  -H ldaps://REDACTED -D "uid=ro_bind_user,cn=sysaccounts,cn=etc,dc=tst,dc=dcn,dc=REDACTED,dc=net" "(&(cn=pdu-admin)(objectClass=posixGroup)(memberUid=REDACTED))" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=tst,dc=dcn,dc=REDACTED,dc=net> with scope subtree
# filter: (&(cn=pdu-admin)(objectClass=posixGroup)(memberUid=REDACTED))
# requesting: ALL
#

# pdu-admin, groups, compat, tst.dcn.REDACTED.net
dn: cn=pdu-admin,cn=groups,cn=compat,dc=tst,dc=dcn,dc=REDACTED,dc=net
objectClass: posixGroup
objectClass: ipaOverrideTarget
objectClass: ipaexternalgroup
objectClass: top
gidNumber: 376400045
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
memberUid: REDACTED
ipaAnchorUUID:: REDACTED
cn: pdu-admin

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

After the update on 0.60:

ldapsearch -x -b "dc=dcn,dc=REDACTED,dc=net"  -H REDACTED -D "uid=ro_bind_user,cn=sy
saccounts,cn=etc,dc=dcn,dc=REDACTED,dc=net" "(&(cn=pdu-admin)(objectClass=posixGroup)(memberUid=REDACTED))" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=dcn,dc=REDACTED,dc=net> with scope subtree
# filter: (&(cn=pdu-admin)(objectClass=posixGroup)(memberUid=REDACTED))
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

If you'd use more specific base DN, does it work? E.g. one of base DNs that under control of the compat tree: cn=compat,dc=dcn,dc=REDACTED,dc=net?
One of changes is to avoid doing too wide searches because memberUid is not a part of the primary IPA tree and this filter will fail to return any entries from there anyway.

Log in to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.