ldap - ldapsearch not showing all groups & members of groups


ldap - ldapsearch not showing all groups & members of groups

using ldapsearch to list the members of a group with a certain group list

(our real domain/ou renamed to domain for this forum)

kye-oes01:~ # cat /etc/novell-release
Open Enterprise Server 2018 (x86_64)
VERSION = 2018.3
PATCHLEVEL = 3

kye-oes01:~ # ndsrepair -T

[1] Instance at /etc/opt/novell/eDirectory/conf/nds.conf: kye-oes01.O=Domain.OUR-TREE
Repair utility for NetIQ eDirectory 9.0 - 9.2.6.0000 v40207.00
DS Version 40207.00 Tree name: OUR-TREE
Server name: .kye-oes01.Domain

---
- list all groups (then grep to list groups I'm interested in)
kye-oes01:~ # ldapsearch -H ldaps://kye-oes01.Domain.local:636 -x -b "o=Domain" -S dn: "objectClass=group" | grep Group-Internet
# Group-Internet-Kids1, Domain
dn: cn=Group-Internet-Kids1,o=Domain
# Group-Internet-Technology2, Domain
dn: cn=Group-Internet-Technology2,o=Domain
# Group-Internet-OCC2, Domain
dn: cn=Group-Internet-OCC2,o=Domain
# Group-Internet-Administration2, Domain
dn: cn=Group-Internet-Administration2,o=Domain
# Group-Internet-Administration1, Domain
dn: cn=Group-Internet-Administration1,o=Domain
# Group-Internet-Accounting1, Domain
dn: cn=Group-Internet-Accounting1,o=Domain
# Group-Internet-Corporate2, Domain
dn: cn=Group-Internet-Corporate2,o=Domain
# Group-Internet-OCC1, Domain
dn: cn=Group-Internet-OCC1,o=Domain
# Group-Internet-Technology1, Domain
dn: cn=Group-Internet-Technology1,o=Domain
# Group-Internet-Corporate1, Domain
dn: cn=Group-Internet-Corporate1,o=Domain

-list of groups that start with 'Group-Internet-*'
- list 5, but there are 10 (listed above)
- why missing some groups
kye-oes01:~ # ldapsearch -H ldaps://kye-oes01.Domain.local:636 -x -b "o=Domain" cn=Group-Internet-* -S dn: "objectClass=group"
# extended LDIF
#
# LDAPv3
# base <o=Domain> with scope subtree
# filter: cn=Group-Internet-*
# requesting: objectClass=group
#

# Group-Internet-Accounting1, Domain
dn: cn=Group-Internet-Accounting1,o=Domain

# Group-Internet-Corporate1, Domain
dn: cn=Group-Internet-Corporate1,o=Domain

# Group-Internet-Corporate2, Domain
dn: cn=Group-Internet-Corporate2,o=Domain

# Group-Internet-OCC1, Domain
dn: cn=Group-Internet-OCC1,o=Domain

# Group-Internet-Technology1, Domain
dn: cn=Group-Internet-Technology1,o=Domain

# search result
search: 2
result: 0 Success

# numResponses: 6
# numEntries: 5

---

- list members of certain group
kye-oes01:~ # ldapsearch -H ldaps://kye-oes01.Domain.local:636 -x -b "o=Domain" cn=Group-Internet-Technology1 member
# extended LDIF
#
# LDAPv3
# base <o=Domain> with scope subtree
# filter: cn=Group-Internet-Technology1
# requesting: member
#

# Group-Internet-Technology1, Domain
dn: cn=Group-Internet-Technology1,o=Domain
member: cn=John Goutbeck,o=Domain

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

- list members of certian group
- but this group has a member listed in iManager
- why does it not show the member
- some groups will list members while other groups do not show members, even though they have members
- and a few groups do not have members, they should still show as a group but without members
kye-oes01:~ # ldapsearch -H ldaps://kye-oes01.Domain.local:636 -x -b "o=domain" cn=Group-Internet-Technology2 member
# extended LDIF
#
# LDAPv3
# base <o=Domain> with scope subtree
# filter: cn=Group-Internet-Technology2
# requesting: member
#

# search result
search: 2
result: 0 Success

# numResponses: 1

---

Any solutions, suggestions?

  • Found my own answer

    Looked at the group differences in iManager
    General - Other
    - the missing groups were missing some 'Valued Attributes'
    - missing attributes were for LUM enabled groups
    modifiersName
    Object Class
    Revision
    uamPosixWorkstationList

    So LUM enabled all groups - which added these attributes (and filled with proper values)
    - seems the groups were missing the 'Object Class' attribute with its value of 'group' so it could not be included with the filter.
    - after LUM enabled the group, it now have an 'Object Class' attribute with its value of 'group'

    - now list all 10 groups - can see all 10 groups
    kye-oes01:~ # ldapsearch -H ldaps://kye-oes01.Domain.local:636 -x -b "o=Domain" cn=Group-Internet-* -S dn: "objectClass=group"
    # extended LDIF
    #
    # LDAPv3
    # base <o=Domain> with scope subtree
    # filter: cn=Group-Internet-*
    # requesting: objectClass=group
    #

    # Group-Internet-Accounting1, Domain
    dn: cn=Group-Internet-Accounting1,o=Domain

    # Group-Internet-Administration1, Domain
    dn: cn=Group-Internet-Administration1,o=Domain

    # Group-Internet-Administration2, Domain
    dn: cn=Group-Internet-Administration2,o=Domain

    # Group-Internet-Corporate1, Domain
    dn: cn=Group-Internet-Corporate1,o=Domain

    # Group-Internet-Corporate2, Domain
    dn: cn=Group-Internet-Corporate2,o=Domain

    # Group-Internet-Kids1, Domain
    dn: cn=Group-Internet-Kids1,o=Domain

    # Group-Internet-OCC1, Domain
    dn: cn=Group-Internet-OCC1,o=Domain

    # Group-Internet-OCC2, Domain
    dn: cn=Group-Internet-OCC2,o=Domain

    # Group-Internet-Technology1, Domain
    dn: cn=Group-Internet-Technology1,o=Domain

    # Group-Internet-Technology2, Domain
    dn: cn=Group-Internet-Technology2,o=Domain

    # search result
    search: 2
    result: 0 Success

    # numResponses: 11
    # numEntries: 10


    Now can list members of each group
    - even list the group with no members
    kye-oes01:~ # ldapsearch -H ldaps://kye-oes01.Domain.local:636 -x -b "o=Domain" cn=Group-Internet-* member -S dn: "objectClass=group"
    # extended LDIF
    #
    # LDAPv3
    # base <o=Domain> with scope subtree
    # filter: cn=Group-Internet-*
    # requesting: member objectClass=group
    #

    # Group-Internet-Accounting1, Domain
    dn: cn=Group-Internet-Accounting1,o=Domain
    member: cn=User Name,o=Domain

    # Group-Internet-OCC2, Domain
    dn: cn=Group-Internet-OCC2,o=Domain

    .

    .

    .

    # search result
    search: 2
    result: 0 Success

    # numResponses: 11
    # numEntries: 10

    Thanks for looking