Ldapsearch memberof for nested memberships

Hi,

I am not able to filter via group memberships if there is a nested group memberships.

User A is a member of Group B. Group B is a member of group C.
From this, it follows that User A is a member of group C

The “groups” command gives the correct output

$ groups user-a
user-a : group-b group-c

However, a ldapsearch does not give the requested membership

$ sudo univention-ldapsearch '(uid=user-a)' memberof
# extended LDIF
#
# LDAPv3
# base <dc=company,dc=com> (default) with scope subtree
# filter: (uid=user-a)
# requesting: memberof 
#

# user-a, users, company.com
dn: uid=user-a,cn=users,dc=company,dc=com
memberOf: cn=group-b,cn=groups,dc=company,dc=com

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1
juhe-admin@ucs:~$ 

The following also fails

$ sudo univention-ldapsearch '(&(uid=user-a)(memberof=group-c,cn=groups,dc=company,dc=com))'
# extended LDIF
#
# LDAPv3
# base <dc=company,dc=com> (default) with scope subtree
# filter: (&(uid=user-a)(memberof=group-c,cn=groups,dc=company,dc=com))
# requesting: ALL
#

# search result
search: 3
result: 0 Success

# numResponses: 1

I have run

sudo /usr/share/univention-ldap-overlay-memberof/univention-update-memberof

twice to no avail.

Is this a bug or a feature? Are there other ways to filter for nested group memberships?

Hi,

well it is something in between bug and feature.

The “memberOf” attribute just tells in which groups the user is. DIRECTLY. “memberOf” will afaik not show the indirect membership in nested groups.

So in your case group-b would have the “memberOf=group-c” (unsure if this is a valid attribute for groups, but by logic).

And user-a will NOT have the attribute set as it is not a direct member of group-c.

Hope this clears it a little bit.

/CV