Can anyone provide insight on why the below might be happening, my best guess is a corrupt uniquemember index??
I initially tried it as a user which also fails but switched to Directory Manager to rule out an access control issue.
We have identical prod, dev, and test environments and I only see this behavior in our production environment.
mmacbook:~ morgan$ ldapsearch -LLL -H ldaps://prdds22.domain.org -x -y pass -D cn=directory\ manager -b 'cn=admin,ou=fwmgmt,ou=groups,dc=domain,dc=org' '(&(objectClass=groupofuniquenames)(uniqueMember=*))' mmacbook:~ morgan$ ldapsearch -LLL -H ldaps://prdds22.domain.org -x -y pass -D cn=directory\ manager -b 'cn=admin,ou=fwmgmt,ou=groups,dc=domain,dc=org' '(uniqueMember= groupofuniquenames)' mmacbook:~ morgan$ ldapsearch -LLL -H ldaps://prdds22.domain.org -x -y pass -D cn=directory\ manager -b 'cn=admin,ou=fwmgmt,ou=groups,dc=domain,dc=org' '(objectclass=*)' dn: cn=admin,ou=fwmgmt,ou=groups,dc=domain,dc=org objectClass: top objectClass: groupOfUniqueNames cn: admin uniqueMember: uid=u1,ou=employees,dc=domain,dc=org uniqueMember: uid=u2,ou=employees,dc=domain,dc=org uniqueMember: uid=u3,ou=employees,dc=domain,dc=org description: FW Mgmt group
mmacbook:~ morgan$
mmacbook:~ morgan$ ldapsearch -x -y ~/Docs/.pass4 -D cn=directory\ manager -LLLb cn=config '(&(objectclass=nsindex)(cn=uniquemember))' dn: cn=uniquemember,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,c n=config objectClass: top objectClass: nsIndex cn: uniquemember nsSystemIndex: false nsIndexType: eq
dn: cn=uniquemember,cn=index,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=co nfig objectClass: top objectClass: nsIndex cn: uniquemember nsSystemIndex: false nsIndexType: eq
dn: cn=uniqueMember,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config cn: uniqueMember objectClass: top objectClass: nsIndex nsIndexType: eq nsIndexType: sub nsIndexType: pres nsSystemIndex: false
mmacbook:~ morgan$
thank you!
-morgan
On 1 Dec 2021, at 07:26, Morgan Jones morgan@morganjones.org wrote:
Can anyone provide insight on why the below might be happening, my best guess is a corrupt uniquemember index??
If you add the uniquemember index, but never trigger a reindex, the server treats it as an empty result set until you do a reindex.
So I'd say do a reindex and see if that resolves it.
I initially tried it as a user which also fails but switched to Directory Manager to rule out an access control issue.
We have identical prod, dev, and test environments and I only see this behavior in our production environment.
mmacbook:~ morgan$ ldapsearch -LLL -H ldaps://prdds22.domain.org -x -y pass -D cn=directory\ manager -b 'cn=admin,ou=fwmgmt,ou=groups,dc=domain,dc=org' '(&(objectClass=groupofuniquenames)(uniqueMember=*))' mmacbook:~ morgan$ ldapsearch -LLL -H ldaps://prdds22.domain.org -x -y pass -D cn=directory\ manager -b 'cn=admin,ou=fwmgmt,ou=groups,dc=domain,dc=org' '(uniqueMember= groupofuniquenames)' mmacbook:~ morgan$ ldapsearch -LLL -H ldaps://prdds22.domain.org -x -y pass -D cn=directory\ manager -b 'cn=admin,ou=fwmgmt,ou=groups,dc=domain,dc=org' '(objectclass=*)' dn: cn=admin,ou=fwmgmt,ou=groups,dc=domain,dc=org objectClass: top objectClass: groupOfUniqueNames cn: admin uniqueMember: uid=u1,ou=employees,dc=domain,dc=org uniqueMember: uid=u2,ou=employees,dc=domain,dc=org uniqueMember: uid=u3,ou=employees,dc=domain,dc=org description: FW Mgmt group
mmacbook:~ morgan$
mmacbook:~ morgan$ ldapsearch -x -y ~/Docs/.pass4 -D cn=directory\ manager -LLLb cn=config '(&(objectclass=nsindex)(cn=uniquemember))' dn: cn=uniquemember,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,c n=config objectClass: top objectClass: nsIndex cn: uniquemember nsSystemIndex: false nsIndexType: eq
dn: cn=uniquemember,cn=index,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=co nfig objectClass: top objectClass: nsIndex cn: uniquemember nsSystemIndex: false nsIndexType: eq
dn: cn=uniqueMember,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config cn: uniqueMember objectClass: top objectClass: nsIndex nsIndexType: eq nsIndexType: sub nsIndexType: pres nsSystemIndex: false
mmacbook:~ morgan$
thank you!
-morgan _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
-- Sincerely,
William Brown
Senior Software Engineer, Identity and Access Management SUSE Labs, Australia
On Nov 30, 2021, at 5:24 PM, William Brown william.brown@suse.com wrote:
On 1 Dec 2021, at 07:26, Morgan Jones morgan@morganjones.org wrote:
Can anyone provide insight on why the below might be happening, my best guess is a corrupt uniquemember index??
If you add the uniquemember index, but never trigger a reindex, the server treats it as an empty result set until you do a reindex.
So I'd say do a reindex and see if that resolves it.
Understood: we did a full re-index.
Thank you, will do.
-morgan
I initially tried it as a user which also fails but switched to Directory Manager to rule out an access control issue.
We have identical prod, dev, and test environments and I only see this behavior in our production environment.
mmacbook:~ morgan$ ldapsearch -LLL -H ldaps://prdds22.domain.org -x -y pass -D cn=directory\ manager -b 'cn=admin,ou=fwmgmt,ou=groups,dc=domain,dc=org' '(&(objectClass=groupofuniquenames)(uniqueMember=*))' mmacbook:~ morgan$ ldapsearch -LLL -H ldaps://prdds22.domain.org -x -y pass -D cn=directory\ manager -b 'cn=admin,ou=fwmgmt,ou=groups,dc=domain,dc=org' '(uniqueMember= groupofuniquenames)' mmacbook:~ morgan$ ldapsearch -LLL -H ldaps://prdds22.domain.org -x -y pass -D cn=directory\ manager -b 'cn=admin,ou=fwmgmt,ou=groups,dc=domain,dc=org' '(objectclass=*)' dn: cn=admin,ou=fwmgmt,ou=groups,dc=domain,dc=org objectClass: top objectClass: groupOfUniqueNames cn: admin uniqueMember: uid=u1,ou=employees,dc=domain,dc=org uniqueMember: uid=u2,ou=employees,dc=domain,dc=org uniqueMember: uid=u3,ou=employees,dc=domain,dc=org description: FW Mgmt group
mmacbook:~ morgan$
mmacbook:~ morgan$ ldapsearch -x -y ~/Docs/.pass4 -D cn=directory\ manager -LLLb cn=config '(&(objectclass=nsindex)(cn=uniquemember))' dn: cn=uniquemember,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,c n=config objectClass: top objectClass: nsIndex cn: uniquemember nsSystemIndex: false nsIndexType: eq
dn: cn=uniquemember,cn=index,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=co nfig objectClass: top objectClass: nsIndex cn: uniquemember nsSystemIndex: false nsIndexType: eq
dn: cn=uniqueMember,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config cn: uniqueMember objectClass: top objectClass: nsIndex nsIndexType: eq nsIndexType: sub nsIndexType: pres nsSystemIndex: false
mmacbook:~ morgan$
thank you!
-morgan _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
-- Sincerely,
William Brown
Senior Software Engineer, Identity and Access Management SUSE Labs, Australia _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
389-users@lists.fedoraproject.org