Alessandro Lasmar Mourao wrote: > I have the following structure in my OpenLDAP: > > ou = groups > |_cn = system1 > | | _cn = Group1 > | | _cn = Group2 > |_cn = system2 > | _cn = Group1 > | _cn = Group2 > > I need to perform a search and return only users who are registered on system1, regardless of the registered group. > When I use the search with the filter: memberOf=cn=*,cn=system1,ou=groups nothing is returned. > How do I perform this search in OpenLDAP? Attribute 'memberOf' is of LDAP syntax DistinguishedName. Therefore the SUBSTR matching rule for DirectoryString syntax does not apply. You could use this filter: (memberOf:dnSubordinateMatch:=cn=system1,ou=groups) Not exactly the same since it does not assert the group entry RDN being 'cn' but it matches your textual description. > In search Oracle SJDS works! Is Oracle SJDS yet another LDAP server product name for the former Sun product or Oracle's OID? If the search with memberOf=cn=*,cn=system1,ou=groups works there they do not implement proper DN syntax checking and matching rules and simply apply e.g. the DirectoryString SUBSTR matching rule or whatever. That's convenient for lazy programmers but is not compliant to RFC 4517. A typical behaviour of Sun's DSSE up to 6.x. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature