Hello,
I have an non-IPA aware application to succssfuly login users from IPA's LDAP.
However, I cannot make it work with group membership. It seems that the LDAP filter is not working and using LDAP search proves that the app is not wrong.
So, what I have:
myself (ptselios) member of the group grafana-adms.
The group is stored as:
ldapsearch -x -W -D "uid=nonipaapps,cn=sysaccounts,cn=etc,dc=example,dc=com" -b "cn=groups,cn=accounts,dc=example,dc=com" "(&(objectClass=groupOfNames)(cn=grafana-adms))" -h localhost -p 389 -s sub
dn: cn=grafana-adms,cn=groups,cn=accounts,dc=example,dc=com
member: uid=ptselios,cn=users,cn=accounts,dc=example,dc=com
member: uid=anotheruser,cn=users,cn=accounts,dc=example,dc=com
ipaNTSecurityIdentifier: S-1-5-21-120251393-583861438-3385547448-1050
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
objectClass: ipantgroupattrs
cn: grafana-adms
description:: blabla
ipaUniqueID: ccc54368-ce1d-11e8-b523-06db1b82a33a
gidNumber: 690200050
Now, when I search with the memberuid I get an empty response:
ldapsearch -x -W -D "uid=nonipaapps,cn=sysaccounts,cn=etc,dc=example,dc=com" -b "cn=groups,cn=accounts,dc=example,dc=com" "(&(objectClass=groupOfNames)(memberuid=ptselios))" -h localhost -p 389 -s sub
# search result
search: 2
result: 0 Success
# numResponses: 1
Obviously, the filter is wrong, but what is the correct one?