Hi Ryan and all,
I am new to Linux and LDAP, but have an embedded software background and have been learning lots in the last 2 weeks.
I am trying to get MediaWiki LDAP extention 1.2d to authenticate against a dynamic openLDAP group. We want a dynamic group because it seems to make sense to control all our apps through a couple of flags in the user profile; the dynamic groups are populated based on the flags.
I have looked at the source and the logs. Things are working fine through the proxy user bind, the user search in the static user tree, and the user password bind. However, because the LDAP search does not return results for a filter like "member=uid=john,ou=users,dc=example,dc=com", the searchGroups routine does not find that the user belongs to any groups.
I have confirmed this behaviour of my openLDAP v2.4.23, using command line LDAPsearch. The members show up if i don't filter, but don't if I try to filter.
I have another LDAP client application that also tries to search groups the same way you do. I changed it and got it to work by fetching all the members from the required group, and then matching the current login against the user list.
My question is, is my problem caused by my use of dynamic groups instead of static groups? (dynlist overlay with full dn in member attributes)? Or is the LDAP supposed to find members with the member= filter, and for some reason my setup isn't? Should the code work with dynamic groups?
Thanks, Gregory Fung