Hi,

I have LDAP with rfc2307bis schema - I have posixGroup, with members defined as FDNs under the member attribute.

Currently, if I login to oVirt via the AAA extension. then my groups are not enumerated. The LDAP searches (recorded on the LDAP server)  are:

 slapd[1503]: conn=7876 op=2 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixGroup)(memberUid=jreynolds))"
 slapd[1503]: conn=7876 op=2 SRCH attr=entryUUID cn description
 slapd[1503]: conn=7871 op=2 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(&(|(objectClass=groupOfUniqueNames)(objectClass=posixGroup))(uniqueMember:uniqueMemberMatch:=cn=jreynolds,ou=users,dc=example,dc=com))"
 slapd[1503]: conn=7871 op=2 SRCH attr=entryUUID cn description

This returns no results, as the search needs to search for 'member' attribute, with an FDN. The issue looks to be inherited from the simple.properties file (regardless of if I use rfc2307, rfc2307-openldap profile), with the line:

search.simple-resolve-groups-member.search-request.filter = &${seq:simple_filterGroupObject}(${seq:simple_attrGroupMemberDN}=${seq:_simple_dn_encoded})

I can fix the issue by replacing "${seq:simple_attrGroupMemberDN}=" with "member=", but this feels pretty hacky. I cannot find where this variable is defined, nor how to change it. Is the correct way to do this to create a new profile that overwrites the filter value? Or am I doing something wrong? I don't think my LDAP schema is particularly unusual, as far as I'm aware it complies with rfc2307bis spec.

Thanks,
Jake