From 6b0fc9e03446e9800b95064e793fde4375e31750 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Tue, 3 Nov 2020 01:18:32 +0000
Subject: [PATCH] ITS#9121 fix filtered memberOf

Broken in 2c0499ae4e17b29018041ecc0ce6001db15d014e adding nesting
---
 servers/slapd/overlays/dynlist.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/servers/slapd/overlays/dynlist.c b/servers/slapd/overlays/dynlist.c
index cbb3d129f5..9519f97199 100644
--- a/servers/slapd/overlays/dynlist.c
+++ b/servers/slapd/overlays/dynlist.c
@@ -1699,16 +1699,19 @@ dynlist_search( Operation *op, SlapReply *rs )
 				if ( dlm->dlm_memberOf_ad ) {
 					int want = 0;
 
-					/* with nesting, filter attributes also require nestlink */
-					if ( dlm->dlm_memberOf_nested ) {
+					/* is attribute in filter? */
+					if ( ad_infilter( dlm->dlm_memberOf_ad, op->ors_filter )) {
+						want |= WANT_MEMBEROF;
+						/* with nesting, filter attributes also require nestlink */
+						if ( dlm->dlm_memberOf_nested ) {
 						/* WANT_ flags have inverted meaning here:
 						 * to satisfy (memberOf=) filter, we need to also
 						 * find all subordinate groups. No special
 						 * treatment is needed for (member=) since we
 						 * already search all group entries.
 						 */
-						if ( ad_infilter( dlm->dlm_memberOf_ad, op->ors_filter ))
 							want |= WANT_MEMBER;
+						}
 					}
 
 					/* if attribute is not requested, skip it */