net-ldap 0.14.0 → 0.16.3

data/lib/net/ldap/dataset.rb

@@ -103,7 +103,7 @@ class Net::LDAP::Dataset < Hash
     # with the conversion of
     def from_entry(entry)
       dataset = Net::LDAP::Dataset.new
-      hash = { }
+      hash = {}
       entry.each_attribute do |attribute, value|
         next if attribute == :dn
         hash[attribute] = value
@@ -165,4 +165,4 @@ class Net::LDAP::Dataset < Hash
   end
 end
 
-require 'net/ldap/entry' unless defined? Net::LDAP::Entry
+require_relative 'entry' unless defined? Net::LDAP::Entry

data/lib/net/ldap/dn.rb

@@ -57,19 +57,19 @@ class Net::LDAP::DN
           state = :key_oid
           key << char
         when ' ' then state = :key
-        else raise "DN badly formed"
+        else raise Net::LDAP::InvalidDNError, "DN badly formed"
         end
       when :key_normal then
         case char
         when '=' then state = :value
         when 'a'..'z', 'A'..'Z', '0'..'9', '-', ' ' then key << char
-        else raise "DN badly formed"
+        else raise Net::LDAP::InvalidDNError, "DN badly formed"
         end
       when :key_oid then
         case char
         when '=' then state = :value
         when '0'..'9', '.', ' ' then key << char
-        else raise "DN badly formed"
+        else raise Net::LDAP::InvalidDNError, "DN badly formed"
         end
       when :value then
         case char
@@ -110,7 +110,7 @@ class Net::LDAP::DN
         when '0'..'9', 'a'..'f', 'A'..'F' then
           state = :value_normal
           value << "#{hex_buffer}#{char}".to_i(16).chr
-        else raise "DN badly formed"
+        else raise Net::LDAP::InvalidDNError, "DN badly formed"
         end
       when :value_quoted then
         case char
@@ -132,7 +132,7 @@ class Net::LDAP::DN
         when '0'..'9', 'a'..'f', 'A'..'F' then
           state = :value_quoted
           value << "#{hex_buffer}#{char}".to_i(16).chr
-        else raise "DN badly formed"
+        else raise Net::LDAP::InvalidDNError, "DN badly formed"
         end
       when :value_hexstring then
         case char
@@ -145,14 +145,14 @@ class Net::LDAP::DN
           yield key.string.strip, value.string.rstrip
           key = StringIO.new
           value = StringIO.new;
-        else raise "DN badly formed"
+        else raise Net::LDAP::InvalidDNError, "DN badly formed"
         end
       when :value_hexstring_hex then
         case char
         when '0'..'9', 'a'..'f', 'A'..'F' then
           state = :value_hexstring
           value << char
-        else raise "DN badly formed"
+        else raise Net::LDAP::InvalidDNError, "DN badly formed"
         end
       when :value_end then
         case char
@@ -162,18 +162,17 @@ class Net::LDAP::DN
           yield key.string.strip, value.string.rstrip
           key = StringIO.new
           value = StringIO.new;
-        else raise "DN badly formed"
+        else raise Net::LDAP::InvalidDNError, "DN badly formed"
         end
-      else raise "Fell out of state machine"
+      else raise Net::LDAP::InvalidDNError, "Fell out of state machine"
       end
     end
 
     # Last pair
-    if [:value, :value_normal, :value_hexstring, :value_end].include? state
-      yield key.string.strip, value.string.rstrip
-    else
-      raise "DN badly formed"
-    end
+    raise Net::LDAP::InvalidDNError, "DN badly formed" unless
+      [:value, :value_normal, :value_hexstring, :value_end].include? state
+
+    yield key.string.strip, value.string.rstrip
   end
 
   ##

data/lib/net/ldap/entry.rb

@@ -140,11 +140,10 @@ class Net::LDAP::Entry
   # arguments to the block: a Symbol giving the name of the attribute, and a
   # (possibly empty) \Array of data values.
   def each # :yields: attribute-name, data-values-array
-    if block_given?
-      attribute_names.each do|a|
-        attr_name, values = a, self[a]
-        yield attr_name, values
-      end
+    return unless block_given?
+    attribute_names.each do|a|
+      attr_name, values = a, self[a]
+      yield attr_name, values
     end
   end
   alias_method :each_attribute, :each
@@ -190,4 +189,4 @@ class Net::LDAP::Entry
   private :setter?
 end # class Entry
 
-require 'net/ldap/dataset' unless defined? Net::LDAP::Dataset
+require_relative 'dataset' unless defined? Net::LDAP::Dataset

data/lib/net/ldap/error.rb

@@ -60,6 +60,7 @@ class Net::LDAP
   class ResponseTypeInvalidError < Error; end
   class ResponseMissingOrInvalidError < Error; end
   class EmptyDNError < Error; end
+  class InvalidDNError < Error; end
   class HashTypeUnsupportedError < Error; end
   class OperatorError < Error; end
   class SubstringFilterError < Error; end

data/lib/net/ldap/filter.rb

@@ -490,7 +490,7 @@ class Net::LDAP::Filter
     when :eq
       if @right == "*" # presence test
         @left.to_s.to_ber_contextspecific(7)
-      elsif @right =~ /[*]/ # substring
+      elsif @right.to_s =~ /[*]/ # substring
         # Parsing substrings is a little tricky. We use String#split to
         # break a string into substrings delimited by the * (star)
         # character. But we also need to know whether there is a star at the
@@ -645,8 +645,15 @@ class Net::LDAP::Filter
 
   ##
   # Converts escaped characters (e.g., "\\28") to unescaped characters
+  # @note slawson20170317: Don't attempt to unescape 16 byte binary data which we assume are objectGUIDs
+  # The binary form of 5936AE79-664F-44EA-BCCB-5C39399514C6 triggers a BINARY -> UTF-8 conversion error
   def unescape(right)
-    right.to_s.gsub(/\\([a-fA-F\d]{2})/) { [$1.hex].pack("U") }
+    right = right.to_s
+    if right.length == 16 && right.encoding == Encoding::BINARY
+      right
+    else
+      right.to_s.gsub(/\\([a-fA-F\d]{2})/) { [$1.hex].pack("U") }
+    end
   end
   private :unescape
 
@@ -748,7 +755,7 @@ class Net::LDAP::Filter
     # This parses a given expression inside of parentheses.
     def parse_filter_branch(scanner)
       scanner.scan(/\s*/)
-      if token = scanner.scan(/[-\w:.]*[\w]/)
+      if token = scanner.scan(/[-\w:.;]*[\w]/)
         scanner.scan(/\s*/)
         if op = scanner.scan(/<=|>=|!=|:=|=/)
           scanner.scan(/\s*/)

data/lib/net/ldap/instrumentation.rb

@@ -12,8 +12,8 @@ module Net::LDAP::Instrumentation
   def instrument(event, payload = {})
     payload = (payload || {}).dup
     if instrumentation_service
-      instrumentation_service.instrument(event, payload) do |payload|
-        payload[:result] = yield(payload) if block_given?
+      instrumentation_service.instrument(event, payload) do |instr_payload|
+        instr_payload[:result] = yield(instr_payload) if block_given?
       end
     else
       yield(payload) if block_given?

data/lib/net/ldap/password.rb

@@ -19,20 +19,18 @@ class Net::LDAP::Password
     # * Should we provide sha1 as a synonym for sha1? I vote no because then
     #   should you also provide ssha1 for symmetry?
     #
-    attribute_value = ""
     def generate(type, str)
       case type
       when :md5
-         attribute_value = '{MD5}' + Base64.encode64(Digest::MD5.digest(str)).chomp!
+         '{MD5}' + Base64.strict_encode64(Digest::MD5.digest(str))
       when :sha
-         attribute_value = '{SHA}' + Base64.encode64(Digest::SHA1.digest(str)).chomp!
+         '{SHA}' + Base64.strict_encode64(Digest::SHA1.digest(str))
       when :ssha
          salt = SecureRandom.random_bytes(16)
-         attribute_value = '{SSHA}' + Base64.encode64(Digest::SHA1.digest(str + salt) + salt).chomp!
+         '{SSHA}' + Base64.strict_encode64(Digest::SHA1.digest(str + salt) + salt)
       else
          raise Net::LDAP::HashTypeUnsupportedError, "Unsupported password-hash type (#{type})"
       end
-      return attribute_value
     end
   end
 end

data/lib/net/ldap/pdu.rb

@@ -123,7 +123,7 @@ class Net::LDAP::PDU
     when ExtendedResponse
       parse_extended_response(ber_object[1])
     else
-      raise LdapPduError.new("unknown pdu-type: #{@app_tag}")
+      raise Error.new("unknown pdu-type: #{@app_tag}")
     end
 
     parse_controls(ber_object[2]) if ber_object[2]

data/lib/net/ldap/version.rb

@@ -1,5 +1,5 @@
 module Net
   class LDAP
-    VERSION = "0.14.0"
+    VERSION = "0.16.3"
   end
 end

data/lib/net/snmp.rb

@@ -1,5 +1,5 @@
 # -*- ruby encoding: utf-8 -*-
-require 'net/ldap/version'
+require_relative 'ldap/version'
 
 # :stopdoc:
 module Net

data/net-ldap.gemspec

@@ -1,7 +1,7 @@
 # -*- encoding: utf-8 -*-
 lib = File.expand_path('../lib', __FILE__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require 'net/ldap/version'
+require_relative 'lib/net/ldap/version'
 
 Gem::Specification.new do |s|
   s.name = %q{net-ldap}
@@ -30,8 +30,8 @@ the most recent LDAP RFCs (4510-4519, plutions of 4520-4532).}
   s.summary = %q{Net::LDAP for Ruby (also called net-ldap) implements client access for the Lightweight Directory Access Protocol (LDAP), an IETF standard protocol for accessing distributed directory services}
 
   s.add_development_dependency("flexmock", "~> 1.3")
-  s.add_development_dependency("rake", "~> 10.0")
-  s.add_development_dependency("rubocop", "~> 0.28.0")
+  s.add_development_dependency("rake", "~> 12.3.3")
+  s.add_development_dependency("rubocop", "~> 0.49.0")
   s.add_development_dependency("test-unit")
-  s.add_development_dependency("byebug")
+  s.add_development_dependency("byebug") unless RUBY_PLATFORM == "java"
 end

data/script/ldap-docker

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+# Usage: script/ldap-docker
+#
+# Starts a openldap docker container ready for integration tests
+
+docker run --rm -ti \
+  --hostname ldap.example.org \
+  --env LDAP_TLS_VERIFY_CLIENT=try \
+  -p 389:389 -p 636:636 \
+  -v "$(pwd)"/test/fixtures/ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom \
+  --name my-openldap-container \
+  osixia/openldap:1.3.0 --copy-service --loglevel debug

data/test/ber/test_ber.rb

@@ -95,7 +95,7 @@ class TestBEREncoding < Test::Unit::TestCase
     def test_encode_binary_data
       # This is used for searching for GUIDs in Active Directory
       assert_equal "\x04\x10" + "j1\xB4\xA1*\xA2zA\xAC\xA9`?'\xDDQ\x16".b,
-        ["6a31b4a12aa27a41aca9603f27dd5116"].pack("H*").to_ber_bin
+                   ["6a31b4a12aa27a41aca9603f27dd5116"].pack("H*").to_ber_bin
     end
 
     def test_non_utf8_encodable_strings

data/test/fixtures/ca/docker-ca.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAlmgAwIBAgIUCfQ+m0pgZ/BjYAJvxrn/bdGNZokwCgYIKoZIzj0EAwMw
+gZYxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxBMUEgQ2FyIFdhc2gxJDAiBgNVBAsT
+G0luZm9ybWF0aW9uIFRlY2hub2xvZ3kgRGVwLjEUMBIGA1UEBxMLQWxidXF1ZXJx
+dWUxEzARBgNVBAgTCk5ldyBNZXhpY28xHzAdBgNVBAMTFmRvY2tlci1saWdodC1i
+YXNlaW1hZ2UwHhcNMTUxMjIzMTM1MzAwWhcNMjAxMjIxMTM1MzAwWjCBljELMAkG
+A1UEBhMCVVMxFTATBgNVBAoTDEExQSBDYXIgV2FzaDEkMCIGA1UECxMbSW5mb3Jt
+YXRpb24gVGVjaG5vbG9neSBEZXAuMRQwEgYDVQQHEwtBbGJ1cXVlcnF1ZTETMBEG
+A1UECBMKTmV3IE1leGljbzEfMB0GA1UEAxMWZG9ja2VyLWxpZ2h0LWJhc2VpbWFn
+ZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMZf/12pupAgl8Sm+j8GmjNeNbSFAZWW
+oTmIvf2Mu4LWPHy4bTldkQgHUbBpT3xWz8f0lB/ru7596CHsGoL2A28hxuclq5hb
+Ux1yrIt3bJIY3TuiX25HGTe6kGCJPB1aLaNmMGQwDgYDVR0PAQH/BAQDAgEGMBIG
+A1UdEwEB/wQIMAYBAf8CAQIwHQYDVR0OBBYEFE+l6XolXDAYnGLTl4W6ULKHrm74
+MB8GA1UdIwQYMBaAFE+l6XolXDAYnGLTl4W6ULKHrm74MAoGCCqGSM49BAMDA2gA
+MGUCMQCXLZj8okyxW6UTL7hribUUbu63PbjuwIXnwi420DdNsvA9A7fcQEXScWFL
+XAGC8rkCMGcqwXZPSRfwuI9r+R11gTrP92hnaVxs9sjRikctpkQpOyNlIXFPopFK
+8FdfWPypvA==
+-----END CERTIFICATE-----

data/test/fixtures/{openldap/retcode.ldif → ldif/06-retcode.ldif}

@@ -1,19 +1,18 @@
-dn: cn=module,cn=config
-cn: module
-objectClass: olcModuleList
-objectClass: top
-olcModulePath: /usr/lib/ldap
-olcModuleLoad: retcode.la
+dn: cn=module{0},cn=config
+changetype: modify
+add: olcModuleLoad
+olcModuleLoad: retcode
 
 # source: http://www.opensource.apple.com/source/OpenLDAP/OpenLDAP-186/OpenLDAP/tests/data/retcode.conf?txt
 
-dn: olcOverlay={2}retcode,olcDatabase={1}hdb,cn=config
+dn: olcOverlay={2}retcode,olcDatabase={1}{{ LDAP_BACKEND }},cn=config
+changetype: add
 objectClass: olcConfig
 objectClass: olcRetcodeConfig
 objectClass: olcOverlayConfig
 objectClass: top
 olcOverlay: retcode
-olcRetcodeParent: ou=Retcodes,dc=rubyldap,dc=com
+olcRetcodeParent: ou=Retcodes,dc=example,dc=org
 olcRetcodeInDir: TRUE
 olcRetcodeSleep: 0
 olcRetcodeItem: "cn=success" 0x00

data/test/fixtures/ldif/50-seed.ldif

@@ -0,0 +1,374 @@
+dn: ou=People,dc=example,dc=org
+objectClass: top
+objectClass: organizationalUnit
+ou: People
+
+dn: ou=Groups,dc=example,dc=org
+objectClass: top
+objectClass: organizationalUnit
+ou: Groups
+
+# Directory Superuser
+dn: uid=admin,dc=example,dc=org
+uid: admin
+cn: system administrator
+sn: administrator
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+displayName: Directory Superuser
+userPassword: passworD1
+
+# Users 1-10
+
+dn: uid=user1,ou=People,dc=example,dc=org
+uid: user1
+cn: user1
+sn: user1
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+userPassword: passworD1
+mail: user1@rubyldap.com
+
+dn: uid=user2,ou=People,dc=example,dc=org
+uid: user2
+cn: user2
+sn: user2
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+userPassword: passworD1
+mail: user2@rubyldap.com
+
+dn: uid=user3,ou=People,dc=example,dc=org
+uid: user3
+cn: user3
+sn: user3
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+userPassword: passworD1
+mail: user3@rubyldap.com
+
+dn: uid=user4,ou=People,dc=example,dc=org
+uid: user4
+cn: user4
+sn: user4
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+userPassword: passworD1
+mail: user4@rubyldap.com
+
+dn: uid=user5,ou=People,dc=example,dc=org
+uid: user5
+cn: user5
+sn: user5
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+userPassword: passworD1
+mail: user5@rubyldap.com
+
+dn: uid=user6,ou=People,dc=example,dc=org
+uid: user6
+cn: user6
+sn: user6
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+userPassword: passworD1
+mail: user6@rubyldap.com
+
+dn: uid=user7,ou=People,dc=example,dc=org
+uid: user7
+cn: user7
+sn: user7
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+userPassword: passworD1
+mail: user7@rubyldap.com
+
+dn: uid=user8,ou=People,dc=example,dc=org
+uid: user8
+cn: user8
+sn: user8
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+userPassword: passworD1
+mail: user8@rubyldap.com
+
+dn: uid=user9,ou=People,dc=example,dc=org
+uid: user9
+cn: user9
+sn: user9
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+userPassword: passworD1
+mail: user9@rubyldap.com
+
+dn: uid=user10,ou=People,dc=example,dc=org
+uid: user10
+cn: user10
+sn: user10
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+userPassword: passworD1
+mail: user10@rubyldap.com
+
+# Emailless User
+
+dn: uid=emailless-user1,ou=People,dc=example,dc=org
+uid: emailless-user1
+cn: emailless-user1
+sn: emailless-user1
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+userPassword: passworD1
+
+# Groupless User
+
+dn: uid=groupless-user1,ou=People,dc=example,dc=org
+uid: groupless-user1
+cn: groupless-user1
+sn: groupless-user1
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+userPassword: passworD1
+
+# Admin User
+
+dn: uid=admin1,ou=People,dc=example,dc=org
+uid: admin1
+cn: admin1
+sn: admin1
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+userPassword: passworD1
+mail: admin1@rubyldap.com
+
+# Groups
+
+dn: cn=ghe-users,ou=Groups,dc=example,dc=org
+cn: ghe-users
+objectClass: groupOfNames
+member: uid=user1,ou=People,dc=example,dc=org
+member: uid=emailless-user1,ou=People,dc=example,dc=org
+
+dn: cn=all-users,ou=Groups,dc=example,dc=org
+cn: all-users
+objectClass: groupOfNames
+member: cn=ghe-users,ou=Groups,dc=example,dc=org
+member: uid=user1,ou=People,dc=example,dc=org
+member: uid=user2,ou=People,dc=example,dc=org
+member: uid=user3,ou=People,dc=example,dc=org
+member: uid=user4,ou=People,dc=example,dc=org
+member: uid=user5,ou=People,dc=example,dc=org
+member: uid=user6,ou=People,dc=example,dc=org
+member: uid=user7,ou=People,dc=example,dc=org
+member: uid=user8,ou=People,dc=example,dc=org
+member: uid=user9,ou=People,dc=example,dc=org
+member: uid=user10,ou=People,dc=example,dc=org
+member: uid=emailless-user1,ou=People,dc=example,dc=org
+
+dn: cn=ghe-admins,ou=Groups,dc=example,dc=org
+cn: ghe-admins
+objectClass: groupOfNames
+member: uid=admin1,ou=People,dc=example,dc=org
+
+dn: cn=all-admins,ou=Groups,dc=example,dc=org
+cn: all-admins
+objectClass: groupOfNames
+member: cn=ghe-admins,ou=Groups,dc=example,dc=org
+member: uid=admin1,ou=People,dc=example,dc=org
+
+dn: cn=n-member-group10,ou=Groups,dc=example,dc=org
+cn: n-member-group10
+objectClass: groupOfNames
+member: uid=user1,ou=People,dc=example,dc=org
+member: uid=user2,ou=People,dc=example,dc=org
+member: uid=user3,ou=People,dc=example,dc=org
+member: uid=user4,ou=People,dc=example,dc=org
+member: uid=user5,ou=People,dc=example,dc=org
+member: uid=user6,ou=People,dc=example,dc=org
+member: uid=user7,ou=People,dc=example,dc=org
+member: uid=user8,ou=People,dc=example,dc=org
+member: uid=user9,ou=People,dc=example,dc=org
+member: uid=user10,ou=People,dc=example,dc=org
+
+dn: cn=nested-group1,ou=Groups,dc=example,dc=org
+cn: nested-group1
+objectClass: groupOfNames
+member: uid=user1,ou=People,dc=example,dc=org
+member: uid=user2,ou=People,dc=example,dc=org
+member: uid=user3,ou=People,dc=example,dc=org
+member: uid=user4,ou=People,dc=example,dc=org
+member: uid=user5,ou=People,dc=example,dc=org
+
+dn: cn=nested-group2,ou=Groups,dc=example,dc=org
+cn: nested-group2
+objectClass: groupOfNames
+member: uid=user6,ou=People,dc=example,dc=org
+member: uid=user7,ou=People,dc=example,dc=org
+member: uid=user8,ou=People,dc=example,dc=org
+member: uid=user9,ou=People,dc=example,dc=org
+member: uid=user10,ou=People,dc=example,dc=org
+
+dn: cn=nested-groups,ou=Groups,dc=example,dc=org
+cn: nested-groups
+objectClass: groupOfNames
+member: cn=nested-group1,ou=Groups,dc=example,dc=org
+member: cn=nested-group2,ou=Groups,dc=example,dc=org
+
+dn: cn=n-member-nested-group1,ou=Groups,dc=example,dc=org
+cn: n-member-nested-group1
+objectClass: groupOfNames
+member: cn=nested-group1,ou=Groups,dc=example,dc=org
+
+dn: cn=deeply-nested-group0.0.0,ou=Groups,dc=example,dc=org
+cn: deeply-nested-group0.0.0
+objectClass: groupOfNames
+member: uid=user1,ou=People,dc=example,dc=org
+member: uid=user2,ou=People,dc=example,dc=org
+member: uid=user3,ou=People,dc=example,dc=org
+member: uid=user4,ou=People,dc=example,dc=org
+member: uid=user5,ou=People,dc=example,dc=org
+
+dn: cn=deeply-nested-group0.0.1,ou=Groups,dc=example,dc=org
+cn: deeply-nested-group0.0.1
+objectClass: groupOfNames
+member: uid=user6,ou=People,dc=example,dc=org
+member: uid=user7,ou=People,dc=example,dc=org
+member: uid=user8,ou=People,dc=example,dc=org
+member: uid=user9,ou=People,dc=example,dc=org
+member: uid=user10,ou=People,dc=example,dc=org
+
+dn: cn=deeply-nested-group0.0,ou=Groups,dc=example,dc=org
+cn: deeply-nested-group0.0
+objectClass: groupOfNames
+member: cn=deeply-nested-group0.0.0,ou=Groups,dc=example,dc=org
+member: cn=deeply-nested-group0.0.1,ou=Groups,dc=example,dc=org
+
+dn: cn=deeply-nested-group0,ou=Groups,dc=example,dc=org
+cn: deeply-nested-group0
+objectClass: groupOfNames
+member: cn=deeply-nested-group0.0,ou=Groups,dc=example,dc=org
+
+dn: cn=deeply-nested-groups,ou=Groups,dc=example,dc=org
+cn: deeply-nested-groups
+objectClass: groupOfNames
+member: cn=deeply-nested-group0,ou=Groups,dc=example,dc=org
+
+dn: cn=n-depth-nested-group1,ou=Groups,dc=example,dc=org
+cn: n-depth-nested-group1
+objectClass: groupOfNames
+member: cn=nested-group1,ou=Groups,dc=example,dc=org
+
+dn: cn=n-depth-nested-group2,ou=Groups,dc=example,dc=org
+cn: n-depth-nested-group2
+objectClass: groupOfNames
+member: cn=n-depth-nested-group1,ou=Groups,dc=example,dc=org
+
+dn: cn=n-depth-nested-group3,ou=Groups,dc=example,dc=org
+cn: n-depth-nested-group3
+objectClass: groupOfNames
+member: cn=n-depth-nested-group2,ou=Groups,dc=example,dc=org
+
+dn: cn=n-depth-nested-group4,ou=Groups,dc=example,dc=org
+cn: n-depth-nested-group4
+objectClass: groupOfNames
+member: cn=n-depth-nested-group3,ou=Groups,dc=example,dc=org
+
+dn: cn=n-depth-nested-group5,ou=Groups,dc=example,dc=org
+cn: n-depth-nested-group5
+objectClass: groupOfNames
+member: cn=n-depth-nested-group4,ou=Groups,dc=example,dc=org
+
+dn: cn=n-depth-nested-group6,ou=Groups,dc=example,dc=org
+cn: n-depth-nested-group6
+objectClass: groupOfNames
+member: cn=n-depth-nested-group5,ou=Groups,dc=example,dc=org
+
+dn: cn=n-depth-nested-group7,ou=Groups,dc=example,dc=org
+cn: n-depth-nested-group7
+objectClass: groupOfNames
+member: cn=n-depth-nested-group6,ou=Groups,dc=example,dc=org
+
+dn: cn=n-depth-nested-group8,ou=Groups,dc=example,dc=org
+cn: n-depth-nested-group8
+objectClass: groupOfNames
+member: cn=n-depth-nested-group7,ou=Groups,dc=example,dc=org
+
+dn: cn=n-depth-nested-group9,ou=Groups,dc=example,dc=org
+cn: n-depth-nested-group9
+objectClass: groupOfNames
+member: cn=n-depth-nested-group8,ou=Groups,dc=example,dc=org
+
+dn: cn=head-group,ou=Groups,dc=example,dc=org
+cn: head-group
+objectClass: groupOfNames
+member: cn=tail-group,ou=Groups,dc=example,dc=org
+member: uid=user1,ou=People,dc=example,dc=org
+member: uid=user2,ou=People,dc=example,dc=org
+member: uid=user3,ou=People,dc=example,dc=org
+member: uid=user4,ou=People,dc=example,dc=org
+member: uid=user5,ou=People,dc=example,dc=org
+
+dn: cn=tail-group,ou=Groups,dc=example,dc=org
+cn: tail-group
+objectClass: groupOfNames
+member: cn=head-group,ou=Groups,dc=example,dc=org
+member: uid=user6,ou=People,dc=example,dc=org
+member: uid=user7,ou=People,dc=example,dc=org
+member: uid=user8,ou=People,dc=example,dc=org
+member: uid=user9,ou=People,dc=example,dc=org
+member: uid=user10,ou=People,dc=example,dc=org
+
+dn: cn=recursively-nested-groups,ou=Groups,dc=example,dc=org
+cn: recursively-nested-groups
+objectClass: groupOfNames
+member: cn=head-group,ou=Groups,dc=example,dc=org
+member: cn=tail-group,ou=Groups,dc=example,dc=org
+
+# posixGroup
+
+dn: cn=posix-group1,ou=Groups,dc=example,dc=org
+cn: posix-group1
+objectClass: posixGroup
+gidNumber: 1001
+memberUid: user1
+memberUid: user2
+memberUid: user3
+memberUid: user4
+memberUid: user5
+
+# missing members
+
+dn: cn=missing-users,ou=Groups,dc=example,dc=org
+cn: missing-users
+objectClass: groupOfNames
+member: uid=user1,ou=People,dc=example,dc=org
+member: uid=user2,ou=People,dc=example,dc=org
+member: uid=nonexistent-user,ou=People,dc=example,dc=org