My Oracle Support Banner

OUD 11g - Searching An Invalid Group With Group Cache Active Delivers All The Users Matching Search Without IsMemberof Filter - ignore the group filter (Doc ID 2477456.1)

Last updated on NOVEMBER 05, 2020

Applies to:

Oracle Unified Directory - Version 11.1.2.3.180717 and later
Information in this document applies to any platform.

Symptoms

ACTUAL BEHAVIOR
Searching an invalid groupname, with Group Cache active, returns unexpected results.

The issue appears after activation of Group cache: ds-cfg-cache-dn-group-ids: true 

The same result is returned by using a wrong groupname in search filters and also for the same filter without groupname.

Example:


<OUD_INSTANCE>/OUD$ time ./bin/ldapsearch -h <OUD_HOST> -p <LDAP_PORT> -D "cn=Directory Manager" -j <PASSWORD_FILE> -b "dc=example,dc=com" "(&(activeEntry=1)(isMemberOf=cn=non_existing_groupname,ou=groups,dc=example,dc=com))" dn |wc -l
25418
real 0m2.986s
user 0m2.014s
sys 0m0.236s

<OUD_INSTANCE>/OUD$ ./bin/ldapsearch -h <OUD_HOST> -p <LDAP_PORT> -D "cn=Directory Manager" -j <PASSWORD_FILE> -b "dc=example,dc=com" "(activeEntry=1)" dn |wc -l
25418

EXPECTED BEHAVIOR
No entry in result when search filter should not return an entry.

STEPS to reproduce
The issue can be reproduced at will with the following steps:
1. Enable Group cache
  ds-cfg-cache-dn-group-ids: true
2. Do complex ldapsearch with a non existing group in the ldapseach filter isMemberOf:
  <OUD_INSTANCE>/OUD$ ./bin/ldapsearch -h <OUD_HOST> -p <LDAP_PORT> -D "cn=Directory Manager" -j <PASSWORD_FILE> -b "dc=example,dc=com" "(&(activeEntry=1)(isMemberOf=cn=non_existing_groupname,ou=groups,dc=example,dc=com))"
3. Unexpected result : All users matching the filter without isMemberOf instead of none/zero -
  <OUD_INSTANCE>/OUD$ ./bin/ldapsearch -h <OUD_HOST> -p <LDAP_PORT> -D "cn=Directory Manager" -j <PASSWORD_FILE> -b "dc=example,dc=com" "(&(activeEntry=1)(isMemberOf=cn=non_existing_groupname,ou=groups,dc=example,dc=com))" dn |wc -l
  25418
4. The unexpected result is the same with result of search without group (isMemberOf) filter -
  <OUD_INSTANCE>/OUD$ ./bin/ldapsearch -h <OUD_HOST> -p <LDAP_PORT> -D "cn=Directory Manager" -j <PASSWORD_FILE> -b "dc=example,dc=com" "(activeEntry=1)" dn |wc -l
  25418


IMPACT
Due to this issue,  ldapsearch with complex search filters that use a non-existent group in the ldapsearch filter using isMemberOf return unexpected results.

Changes

 Enable Group cache
  ds-cfg-cache-dn-group-ids: true

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.