Thanks for all that Daniel.
It's not possible with the current LDAP scheme (rfc2307). The memberOf overlay can't be enabled, and there's no equivalent. You have to do this in two queries. The first one to get the members of the group (the multi valued memberUid attr), the second query can then build a filter to display only those users
Thanks Daniel.
Damn and blast ! Ah well, at least it isn't that I am going mad.
I can't do it in two goes - it's for gitlab and it isn't that clever, allowing only one filter for users, and I'm not keen on making a mess of the server just for this.
Oddly it seems to allow a check for membership of a group to determine if you have admin rights. It is only meant o work in the EE edition but i can see queries on the LDAP server.
You can add these settings:
group_base: ou=Groups,dc=example,dc=com
admin-group: dt-admins
I can then see a search it does which gets no responses like this:
SRCH base="ou=Groups,dc=example,dc=com" scope=2 deref=0 filter="(&(cn=owner)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))"
SRCH attr=objectClass cn userPassword gidNumber memberuid modifyTimestamp modifyTimestamp
If I test that filter with ldapsearch it gets no results.
Not quite sure what is going on there !