[389-devel] Re: Groups are not accessible by filter

Anuj Borah Thu, 25 Apr 2019 01:59:49 -0700

@Ludwig <lkris...@redhat.com>

Attached the logs .


I have noticed , it happening due to _get_objectclass_filter() method in
filter of DSLdapObjects .

Accounts(topo.standalone, DEFAULT_SUFFIX)._objectclasses
['nsAccount', 'nsPerson', 'simpleSecurityObject', 'organization', 'person',
'account', 'organizationalUnit', 'netscapeServer', 'domain',
'posixAccount', 'shadowAccount', 'posixGroup', 'mailRecipient']


but the cn=Accounting Managers,ou=Groups,dc=example,dc=com has objectClass:
groupOfUniqueNames .

This may be the problem . You can  not find any error in access logs as
naturally it does not have any error , its just empty results .

Regards
Anuj Borah


On Thu, Apr 25, 2019 at 12:39 PM Ludwig <lkris...@redhat.com> wrote:

> can you provide the access logs to show what searches were really done
>
> On 04/24/2019 12:23 PM, Anuj Borah wrote:
>
> Hi all,
>
> Please consider bellow condition .
>
> UserAccount(topo.standalone, 'cn=Accounting 
> Managers,ou=groups,dc=example,dc=com').add('uniquemember', [
>     'uid=scarter, ou=People, dc=example,dc=com', 'uid=tmorris, ou=People, 
> dc=example,dc=com', 'uid=kvaughan, ou=People, dc=example,dc=com',    
> 'uid=rdaugherty, ou=People, dc=example,dc=com', 'uid=hmiller, ou=People, 
> dc=example,dc=com'])
>
> UserAccount(topo.standalone, 'cn=HR 
> Managers,ou=groups,dc=example,dc=com').add('uniquemember', [
>     'uid=kvaughan, ou=People, dc=example,dc=com', 'uid=cschmith, ou=People, 
> dc=example,dc=com'])
>
>
> And try to add filter:
>
> With Filter: It fails gives 0 result for those involves Group
> 'cn=Accounting Managers,ou=groups,dc=example,dc=com' .
>
> for i in ['(uniquemember=uid=kvaughan,ou=People,dc=example,dc=com)',          
>  '(uniquemember=uid=rdaugherty, ou=People, dc=example,dc=com)',          
> '(uniquemember=uid=hmiller, ou=People, dc=example,dc=com)',           
> '(&(objectclass=inetorgperson)(uid=scarter))',          
> '(&(objectclass=organizationalperson)(uid=scarter))',           
> '(objectclass=inetorgperson)',           
> '(&(objectclass=organizationalPerson)(sn=Jensen))',          
> '(&(mail=*)(objectclass=organizationalPerson))',           '(mail=*)',        
>    '(&(sn=Rentz)(objectclass=organizationalPerson))',          
> '(&(sn=Ward)(sn=Ward))',           '(sn=Jensen)',           '(sn=*)',         
>   '(sn=*utz)']:
>     assert Accounts(topo.standalone, DEFAULT_SUFFIX).filter(i)
>
>
> with search_s(Old Way): I gives correct results .
>
> for i in ['(uniquemember=uid=kvaughan,ou=People,dc=example,dc=com)',          
> '(uniquemember=uid=rdaugherty, ou=People, dc=example,dc=com)',          
> '(uniquemember=uid=hmiller, ou=People, dc=example,dc=com)',          
> '(&(objectclass=inetorgperson)(uid=scarter))',          
> '(&(objectclass=organizationalperson)(uid=scarter))',          
> '(objectclass=inetorgperson)',          
> '(&(objectclass=organizationalPerson)(sn=Jensen))',          
> '(&(mail=*)(objectclass=organizationalPerson))',          '(mail=*)',         
>  '(&(sn=Rentz)(objectclass=organizationalPerson))',          
> '(&(sn=Ward)(sn=Ward))',          '(sn=Jensen)',          '(sn=*)',          
> '(sn=*utz)']:
>     assert topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, i)
>
>
>
> I have attached the test script too . Test
> test_various_combinations_of_filters_and_idlistscanlimit
>
> Regards
> Anuj Borah
>
>
>
>
>
> _______________________________________________
> 389-devel mailing list -- 389-devel@lists.fedoraproject.org
> To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
>
>
> _______________________________________________
> 389-devel mailing list -- 389-devel@lists.fedoraproject.org
> To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
>

access_with_filter
Description: Binary data

access_with_search_s
Description: Binary data

_______________________________________________
389-devel mailing list -- 389-devel@lists.fedoraproject.org
To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org

[389-devel] Re: Groups are not accessible by filter

Reply via email to