Ryan Steele wrote:
Hey Andreas, Andreas Hasenack wrote:On Wed, Sep 16, 2009 at 17:42, Ryan Steele<ryans@aweber.com> wrote:query returns nothing: ldapsearch -x -w SECRET -D "cn=admin,dc=example,dc=com" -b "cn=testgroup,ou=Groups,dc=example,dc=com" -LLL '(uid=user1)'This filter doesn't look right. Try "(member=uid=user1,ou=Users,dc=example,dc=com)"ldapsearch -x -w SECRET -D "cn=admin,dc=example,dc=com" -b "cn=testgroup ou=Groups,dc=example,dc=com" -LLL dn: cn=testgroup,ou=Groups,dc=example,dc=com ou: Groups cn: testgroup objectClass: groupOfURLs memberURL: ldap:///ou=Users,dc=example,dc=com?uid?sub?(&(employeeType=Developer )(objectClass=exampleEmployee)) member: uid=user1,ou=Users,dc=example,dc=com member: uid=user2,ou=Users,dc=example,dc=com member: uid=user3,ou=Users,dc=example,dc=com
Thanks for the advice - I think you're right about filtering on the 'member'
attribute. However, doing so still returns
the entire list, not the individual member I'm filtering for.
That is the way LDAP search filters work, as Quanah explained in his followup. And yes, this comment deserves an RTFM response.
Note that there is a ValuesReturnFilter control (RFC3876) which can be used to only return specific values in a result.
I'm not quite sure how to explain this behavior, given the implications made in the following two posts which indicate that I should be able to use dynamically generated attributes as filter
expressions: The posts you reference make no such implication.
http://www.openldap.org/lists/openldap-software/200802/msg00211.html
States quite clearly "the dynamic members are not present in the entry during search, when the filter is evaluated. You can only filter for static data."
Or again, for clarity: You cannot use dynamically generated attributes as filter expressions.
The suggestion to use the autogroup overlay is precisely because autogroup does not use dynamically generated attributes, and therefore doesn't run into this constraint.
http://www.openldap.org/lists/openldap-software/200812/msg00038.html
Also, in the earlier ITS filed for the autogroup contrib overlay, it states that for searches and compares, it should behave like a static group, bolstering that supposition:
http://www.openldap.org/lists/openldap-bugs/200709/msg00128.html
How does "behaves like a static group" in any way support the notion that *dynamic* content is supported?
So, should I be searching for a bug (which was the premise for the OP), or has the behavior of autogroup changed since its inception? As always, many thanks for any and all advice!
You should be re-checking the enormous logical leaps you have made based on the material you have read. Another reason questions go un-answered is because the person asking them has already demonstrated such poor reading comprehension that the time spent writing an answer would be wasted; the answer will obviously be misunderstood.
"static" and "dynamic" are clearly antonyms in this context but you have conflated the two together and are asking why you aren't seeing the behavior you expect. Since we can only communicate in English on this list, if you don't even understand this basic semantic in English then you're beyond our ability to help.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/