Can't ldapsearch by uid when objectClass has subentry

I have entry in LDAP under dnTemplate ou=product01,ou=identities as bellow:

dn: cn=Test Subentry Password Policy,ou=product01,ou=identities
ds-pwp-password-attribute: userPassword
uid: 0a91242a-60c4-41fa-9c13-fdc433fc4735
ds-pwp-password-history-count: 5
ds-pwp-max-password-age: 90d
ds-pwp-default-password-storage-scheme: PBKDF2-HMAC-SHA512
cn: Test Subentry Password Policy
ds-pwp-character-set-allow-unclassified-characters: true
ds-pwp-length-based-min-password-length: 8
objectClass: subentry
objectClass: top
objectClass: uidObject
objectClass: ds-pwp-password-policy
objectClass: ds-pwp-validator
objectClass: ds-pwp-length-based-validator
objectClass: ds-pwp-character-set-validator
ds-pwp-character-set-character-set: 1:ABCDEFGHIJKLMNOPQRSTUVWXYZ
ds-pwp-character-set-character-set: 1:0123456789
ds-pwp-character-set-character-set: 1:abcdefghijklmnopqrstuvwxyz
ds-pwp-character-set-character-set: 1:~!@#$%^&*()-_=+[]{}|;:,.<>/?

When using ldapsearch with filter by ldapsearch -H ldap://localhost:1389 -x -D "uid=admin" -W -b "ou=product01,ou=identities" -s sub -a always -z 1000 "(uid=0a91242a-60c4-41fa-9c13-fdc433fc4735)" "pwdPolicySubentry" "objectClass". LDAP return emty entry

#!SEARCH REQUEST (365) OK
#!CONNECTION ldap://localhost:1389
#!DATE 2022-05-31T08:06:25.951
# LDAP URL     : ldap://localhost:1389/ou=product01,ou=identities?pwdPolicySubentry,objectClass?sub?(uid=0a91242a-60c4-41fa-9c13-fdc433fc4735)
# command line : ldapsearch -H ldap://localhost:1389 -x -D "uid=admin" -W -b "ou=product01,ou=identities" -s sub -a always -z 1000 "(uid=0a91242a-60c4-41fa-9c13-fdc433fc4735)" "pwdPolicySubentry" "objectClass"
# baseObject   : ou=product01,ou=identities
# scope        : wholeSubtree (2)
# derefAliases : derefAlways (3)
# sizeLimit    : 1000
# timeLimit    : 0
# typesOnly    : False
# filter       : (uid=0a91242a-60c4-41fa-9c13-fdc433fc4735)
# attributes   : pwdPolicySubentry objectClass

#!SEARCH RESULT DONE (365) OK
#!CONNECTION ldap://localhost:1389
#!DATE 2022-05-31T08:06:26.166
# numEntries : 0

This issue happen only when entry has subentry objectClass or inheritance, I can’t remove this objectClass because this entry defined my subentry password policy.

Some one pls to help.

By the LDAP specifications (RFC 3672), LDAP Subentries are only returned in search when explicitly requested using the subentries control (1.3.6.1.4.1.4203.1.10.1) or if adding the (objectClass=LDAPsubEntry) filter.
With ForgeRock DS ldapsearch, you can use the --subEntries option.

2 Likes

Thank Ludo. It’s work with lapsearch now. So in repo.ds.json how can I tell OpenIDM using --subEntries option

or does OpenIDM has support --subEntries option in repo.ds.json to allow user can search with uid attribute?

I don’t think the --subEntries option (which is ldapsearch only) is something that IDM would understand. The other option is to search for (&(uid=XXX)(objectClass=ldapSubEntries)). But I’m not familiar enough with repo.ds.json to know how to do this.

1 Like

Thanks for help