+++ This bug was initially created as a clone of Bug #2219000 +++

This clone was created for rhds 12.4.1 build

Description of problem:

subsuffix are not returned in one level scoped search

Steps to reproduce the behavior:

• Create an instance with dc=example,dc=com suffix (with entries in the backends)
• Create a subsuffix just below the suffix with entries:
• dsconf instance backend create --suffix ou=foo,dc=example,dc=com --create-entries --be-name foo
• Run ldapsearch ldapsearch with sub scope:

ldapsearch -Q -LLL -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-i1.socket -s sub -b dc=example,dc=com '(ou=*)' dn
(No errors: ou=foo,dc=example,dc=com is listed)

• Run ldapsearch with one scope:

ldapsearch -Q -LLL -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-i1.socket -s one -b dc=example,dc=com '(ou=*)' dn
(Error: ou=foo,dc=example,dc=com is not listed)

Expected results

ou=foo,dc=example,dc=com should be listed in both cases

Additional context

This behavior confuses some ldap browsers that cannot show any more the entries below sub suffix.

Upstream ticket:

https://github.com/389ds/389-ds-base/issues/5772

— Additional comment from on 2024-06-06 16:26:25 UTC —

This bug is critical for the customer, blocking them to upgrade from an unsupported version for which they are paying, RHDS 10.0.0 to 12.5

— Additional comment from thierry bordaz on 2024-06-07 13:59:29 UTC —

I changed the priority of this bug. So far, without CU case linked to that BZ, it was scheduled to start working on it Aug 24. Now it is scheduled for in of June 24.
The initial investigation will confirm how complex is the fix.

— Additional comment from Pierre Rogier on 2024-06-13 13:41:45 UTC —

Fix is now available upstream and cherry-picked down to 389-ds-base-2.5 branch
c9d18299a..dc0d81844 389-ds-base-2.5 -> 389-ds-base-2.5

Patch source file may be generated by using:
git clone https://github.com/389ds/389-ds-base.git
git diff --patch c9d18299a..dc0d81844 > Issue5772v2.5.patch