Global query result

Hi,

We are trying to get the result of global query.

For user1 it gives required results but for user 2 it is returning empty. Here is the output of ndstrace. Please help.

User1:

7523776 LDAP: [2024/09/03 15:38:51.147] (10.122.123.9:49770)(0x0016:0x63) Search request:
base: "OU=External,OU=Active,OU=Identities,OU=Meta,O=abc"
scope:1 dereference:0 sizelimit:5000 timelimit:0 attrsonly:0
filter: "(&(&(cdsUPN=U-TEST2*)(mail=abc.test@mail.com)(cdsSystem=TRUE)))"
attribute: "srvprvHideUser"
attribute: "srvprvHideAttributes"
attribute: "modifyTimeStamp"
attribute: "objectClass"
907523776 LDAP: [2024/09/03 15:38:51.147] (10.122.123.9:49770)(0x0016:0x63) nds_back_search: Search Control OID 2.16.840.1.113730.3.4.18
907523776 LDAP: [2024/09/03 15:38:51.147] (10.122.123.9:49770)(0x0016:0x63) nds_back_search: Search Control OID 2.16.840.1.113730.3.4.2
907523776 LDAP: [2024/09/03 15:38:51.147] (10.122.123.9:49770)(0x0016:0x63) ParseControls: Parsing control with OID 2.16.840.1.113730.3.4.18
907523776 LDAP: [2024/09/03 15:38:51.147] (10.122.123.9:49770)(0x0016:0x63) ParseControls: Parsing control with OID 2.16.840.1.113730.3.4.2
907523776 LDAP: [2024/09/03 15:38:51.149] (10.122.123.9:49770)(0x0016:0x63) Proxy Authorization identity is CN=U-TEST2\OU=External\OU=Active\OU=Identities\OU
=Meta\O=abc
907523776 LDAP: [2024/09/03 15:38:51.149] (10.122.123.9:49770)(0x0016:0x63) nds_back_search: Proxy Authorization successful
907523776 LDAP: [2024/09/03 15:38:51.150] (10.122.123.9:49770)(0x0016:0x63) Sending search result entry "cn=U-TEST2,ou=External,ou=Active,ou=Identities,ou=Me
ta,o=abc" to connection 0x2b994800
907523776 LDAP: [2024/09/03 15:38:51.150] (10.122.123.9:49770)(0x0016:0x63) Sending operation result 0:"":"" to connection 0x2b994800
996988608 LDAP: [2024/09/03 15:39:01.929] (10.122.123.9:56622)(0x0005:0x42) DoUnbind on connection 0x1d4f0800
996988608 LDAP: [2024/09/03 15:39:01.929] (10.122.123.9:56622)(0x0005:0x42) nds_back_unbind: Connection 0x1d4f0800
996988608 LDAP: [2024/09/03 15:39:01.929] Connection 0x1d4f0800 closed

User2


LDAP: [2024/09/03 15:39:59.171] (10.122.123.9:49770)(0x0018:0x63) Search request:
base: "OU=External,OU=Active,OU=Identities,OU=Meta,O=abc"
scope:1 dereference:0 sizelimit:5000 timelimit:0 attrsonly:0
filter: "(&(&(cdsUPN=U-TEST8*)(mail=abc.test@mail.com)(cdsSystem=TRUE)))"
attribute: "srvprvHideUser"
attribute: "srvprvHideAttributes"
attribute: "modifyTimeStamp"
attribute: "objectClass"
908576448 LDAP: [2024/09/03 15:39:59.171] (10.122.123.9:49770)(0x0018:0x63) nds_back_search: Search Control OID 2.16.840.1.113730.3.4.18
908576448 LDAP: [2024/09/03 15:39:59.171] (10.122.123.9:49770)(0x0018:0x63) nds_back_search: Search Control OID 2.16.840.1.113730.3.4.2
908576448 LDAP: [2024/09/03 15:39:59.171] (10.122.123.9:49770)(0x0018:0x63) ParseControls: Parsing control with OID 2.16.840.1.113730.3.4.18
908576448 LDAP: [2024/09/03 15:39:59.171] (10.122.123.9:49770)(0x0018:0x63) ParseControls: Parsing control with OID 2.16.840.1.113730.3.4.2
908576448 LDAP: [2024/09/03 15:39:59.173] (10.122.123.9:49770)(0x0018:0x63) Proxy Authorization identity is CN=U-TEST2\OU=External\OU=Active\OU=Identities\OU
=Meta\O=abc
908576448 LDAP: [2024/09/03 15:39:59.173] (10.122.123.9:49770)(0x0018:0x63) nds_back_search: Proxy Authorization successful
908576448 LDAP: [2024/09/03 15:39:59.174] (10.122.123.9:49770)(0x0018:0x63) Sending operation result 0:"":"" to connection 0x2b994800
2783954624 LDAP: [2024/09/03 15:40:09.695] Monitor 0xa5efc6c0 found connection 0x1d4f0800 ending TLS session
1014875840 LDAP: [2024/09/03 15:40:09.695] (10.122.123.9:33934)(0x0005:0x42) DoUnbind on connection 0x1d4f0800
1014875840 LDAP: [2024/09/03 15:40:09.695] (10.122.123.9:33934)(0x0005:0x42) nds_back_unbind: Connection 0x1d4f0800
1014875840 LDAP: [2024/09/03 15:40:09.695] Connection 0x1d4f0800 closed

  • 0  

    The query is done in the permission context of the User:  Proxy Authorization identity is CN=U-TEST2\OU=External\OU=Active\OU=Identities\OU=Meta\O=abc

    If you login via LDAP can you see the same query?  I.e. Permissions are ok?

    Doers that user actually exist? Implied is that it should... 

    Proxy Auth means User App binds to eDir as Admin (Whatever account you set up) but then makes a request to do the query as a Proxied Bind so without the password, you see the view of the world the same as the Proxied User ID.

  • 0 in reply to   

    If you login via LDAP can you see the same query? I.e. Permissions are ok? YES, we are getting result

    Doers that user actually exist? Implied is that it should... YES user exist in LDAP

    Proxy Auth means User App binds to eDir as Admin (Whatever account you set up) but then makes a request to do the query as a Proxied Bind so without the password, you see the view of the world the same as the Proxied User ID.


    I am not getting what is proxy-ID, could you elaborate more how to find it from ism-configurations file

  • 0   in reply to 

    The LDAP user, I forget the specific variable name, that is used to login to eDir.  That is the Admin account and UA knows the password.  Then when it binds as UserA, it says, as Admin, login, but use an extension to show me the view (Proxy my login) to that of UserA.

    Are the two users in different OU's?  Look at the ACL attribute on each container?  (I know you said you logged in via LDAP and it worked, but still...)