LDAP groupOfNames and groupOfUniqueNames SearchCount 0 entries
search cancel

LDAP groupOfNames and groupOfUniqueNames SearchCount 0 entries


Article ID: 275392


Updated On:





When running a Policy Server, this one isn't able to authorize users.

The Policy Server finds the group:

[09/11/2023][16:55:06.086][16:55:06][2139565][140124306269952][SmDsLdapProvider.cpp:2405][CSmDsLdapProvider::Search][][][][][][][][][][][][][][][][][][][(Search) Base: 'dc=example,dc=com', Filter: '(&(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=group)(objectclass=top)(objectclass=exampleGroupOfNames))(cn=<the_group_cn>))'. Status: 1 entries.][][Ldap Search callout succeeds.][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

But the Policy Server doesn't find the user as this group member:

[09/11/2023][16:55:06.247][16:55:06][2139565][140124306269952][SmDsLdapProvider.cpp:2685][CSmDsLdapProvider::SearchCount][][][][][][][][][][][][][][][][][][][(SearchCount) Base: 'exampleguid=<xxxx>,o=groups,dc=example,dc=com', Filter: 'member=exampleguid=<name2>,o=<specific_group>,dc=example,dc=com'. Status: 0 entries][][Ldap SearchCount callout succeeds.][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

The issue can be worked around by removing groupOfNames object classes from the LDAP group.

  1. Why does the groupOfNames object class take precedence over the groupOfUniqueNames? Has the Policy Server any registry entry which defines the precedence of object classes?
  2. Even if the search filter with member attribute failed with groupOfNames, why doesn't the Policy Server search further with uniqueMember attribute with the groupOfUniqueNames object class?




  Policy Server 12.8SP7 on RedHat 7;
  User Store on LDAP Oracle Unified Directory;




Looking the LDAP configuration, the group


has 2 objectclasses:


Each of them should have its attribute:

  | ObjectClass        | Attribute    |
  | groupOfNames       | member       |
  | groupOfUniqueNames | uniqueMember |

When looking at the group config, only the attribute "uniqueMember" for groupOfUniqueNames is configured:

  # <xxxx>, groups, example.com
  dn: exampleguid=<xxxx>,o=groups,dc=example,dc=com
  uniqueMember: exampleguid=<name2>,o=<specific_group>,dc=example,dc=com
  cn: <the_group_cn>
  description: The group
  objectClass: groupOfUniqueNames
  objectClass: groupOfNames
  objectClass: top
  objectClass: exampleGroupOfNames
  exampleguid: <xxxx>

Both attributes are mandatory should be set as per RFC 4519 (1).

  1. The groupOfNames object class doesn't take precedence over the groupOfUniqueNames. As the ObjectClass is not set in the LDAP Group, so the member attribute isn't checked to determine if the user is part of the group or not.
  2. The Policy Server doesn't check further because as groupOfNames is set as ObjectClass, member attribute is expected, and if the member attribute is not present, then it's considered as not part of the group.




In the LDAP group:


add the attribute


to solve this issue.


Additional Information


    Defining Groups