Bug 2219000

Summary: subsuffix are not returned in one level scoped search
Product: Red Hat Directory Server Reporter: mreynolds
Component: 389-ds-baseAssignee: LDAP Maintainers <idm-ds-dev-bugs>
Status: NEW --- QA Contact: LDAP QA Team <idm-ds-qe-bugs>
Severity: high Docs Contact: Evgenia Martynyuk <emartyny>
Priority: unspecified    
Version: 11.8CC: idm-ds-dev-bugs, musoni, tmihinto
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description mreynolds 2023-06-30 21:31:06 UTC 
Description of problem:

subsuffix are not returned in one level scoped search

Steps to reproduce the behavior:

- Create an instance with dc=example,dc=com suffix (with entries in the backends)
- Create a subsuffix just below the suffix with entries:
- dsconf instance backend create --suffix ou=foo,dc=example,dc=com --create-entries --be-name foo
- Run ldapsearch ldapsearch with sub scope:

    ldapsearch -Q -LLL -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-i1.socket -s sub -b dc=example,dc=com '(ou=*)' dn
    (No errors: ou=foo,dc=example,dc=com is listed)

- Run ldapsearch with one scope:

    ldapsearch -Q -LLL -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-i1.socket -s one -b dc=example,dc=com '(ou=*)' dn
    (Error: ou=foo,dc=example,dc=com is not listed)

Expected results

    ou=foo,dc=example,dc=com should be listed in both cases

Additional context

    This behavior confuses some ldap browsers that cannot show any more the entries below sub suffix.

Upstream ticket:

    https://github.com/389ds/389-ds-base/issues/5772