Solutions
Archived

isMemberOf values not returned with an anonymous ldapsearch in OpenDJ 3.0

Last updated Jan 5, 2021

The purpose of this article is to provide assistance when isMemberOf values are not returned when querying members of a group using an anonymous ldapsearch in OpenDJ. This also happens if you bind using a non-Root DN.


Archived

This article has been archived and is no longer maintained by ForgeRock.

Symptoms

Using an ldapsearch in the following situations does not return any results:

  • No bind details (anonymous): $ ./ldapsearch --port 4444 --baseDN dc=example,dc=com "(&(objectClass=person)(uid=jdoe)(isMemberOf=cn=internal,ou=employees,dc=example,dc=com))"
  • Bind details for a non-Root DN: $ ./ldapsearch --port 4444 --bindDN "cn=admin,ou=services,dc=example,dc=com" --bindPassword password --baseDN dc=example,dc=com "(&(objectClass=person)(uid=jdoe)(isMemberOf=cn=internal,ou=employees,dc=example,dc=com))"

Whereas binding as the Root DN will return results:

$ ./ldapsearch --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --baseDN dc=example,dc=com "(&(objectClass=person)(uid=jdoe)(isMemberOf=cn=internal,ou=employees,dc=example,dc=com))"

Recent Changes

Upgraded to, or installed OpenDJ 3.0.

Causes

The isMemberOf attribute was removed from the global ACI in an earlier version and became an Operation attribute that was computed at search time. This meant it was not available in the user-visible attributes; however it is always visible to the Root DN, which is why searches using the Root DN work.

Solution

You can reinstate the isMemberOf attribute in the global ACI by upgrading to OpenDJ 3.5 or later; you can download this from BackStage.

Alternatively, you can add the isMemberOf attribute to the User-Visible Operational Attributes global ACI:

  • Default: ds-cfg-global-aci: (targetattr="createTimestamp||creatorsName||modifiersName||modifyTimestamp||entryDN||entryUUID||subschemaSubentry||etag||governingStructureRule||structuralObjectClass||hasSubordinates||numSubordinates")(version 3.0; acl "User-Visible Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)
  • After modification: ds-cfg-global-aci: (targetattr="createTimestamp||creatorsName||modifiersName||modifyTimestamp||entryDN||entryUUID||subschemaSubentry||etag||governingStructureRule||structuralObjectClass||hasSubordinates||numSubordinates||isMemberOf")(version 3.0; acl "User-Visible Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)

You can modify this using interactive mode or the following dsconfig command: 

$ ./dsconfig set-access-control-handler-prop --remove 'global-aci: (targetattr="createTimestamp||creatorsName||modifiersName||modifyTimestamp||entryDN||entryUUID||subschemaSubentry||etag||governingStructureRule||structuralObjectClass||hasSubordinates||numSubordinates")(version 3.0; acl "User-Visible Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)' --add 'global-aci: (targetattr="createTimestamp||creatorsName||modifiersName||modifyTimestamp||entryDN||entryUUID||subschemaSubentry||etag||governingStructureRule||structuralObjectClass||hasSubordinates||numSubordinates||isMemberOf")(version 3.0; acl "User-Visible Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)' --hostname localhost --port 4444 --trustAll --bindDN "cn=Directory Manager" --bindPassword password --no-prompt

See Also

How do I know what the default Global ACIs are used for in OpenDJ 3.x?

How do I only allow selected users to search, update and delete LDAP entries in DS 5.x and 6.x?

Related Training

N/A

Related Issue Tracker IDs

OPENDJ-2965 (isMemberOf searches are inefficient)


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.