Re: (ITS#8613) slapo-memberOf documentation update (Unsafe to use with replication) - openldap-bugs

9 Mar 2017


      --On Thursday, March 09, 2017 12:54 AM +0000 quanah@openldap.org wrote:
...
It is possible to set up slapo-dynlist to operate as a replacement for
slapo-memberOf, and it is safe in a replicated environment.  The tricky
part of using slapo-dynlist is that membership information must be
maintained by updating user objects rather than by updating group
objects, which may be difficult for end users depending on how they
perform group management.
It's also possible to do this in the reverse direction.  I.e., normal 
static groups that will populate memberOf in the user entry.  To do this, 
you have to hack the dyngroup schema, changing groupOfURLs from STRUCTURAL 
to AUXILIARY.
In the slapd config, the dynlist config looks like:
dynlist-attrset groupOfUrls memberURL memberOf
Then we can create some groups:
root@u16test:/opt/symas/etc/openldap# /opt/symas/bin/ldapsearch -x -LLL -H 
ldap:/// -D dc=example,dc=com -w secret -b dc=example,dc=com "cn=testgroup"
dn: cn=testgroup,ou=Group,dc=example,dc=com
objectClass: groupOfNames
cn: testgroup
member: cn=Marice McCaugherty,ou=Product Testing,dc=example,dc=com
root@u16test:/opt/symas/etc/openldap# /opt/symas/bin/ldapsearch -x -LLL -H 
ldap:/// -D dc=example,dc=com -w secret -b dc=example,dc=com 
"cn=alttestgroup"
dn: cn=alttestgroup,ou=Group,dc=example,dc=com
objectClass: groupOfNames
cn: alttestgroup
member: cn=Marice McCaugherty,ou=Product Testing,dc=example,dc=com
The user entry looks like:
root@u16test:/opt/symas/etc/openldap# /opt/symas/bin/ldapsearch -x -LLL -H 
ldap:/// -D dc=example,dc=com -w secret -b dc=example,dc=com "cn=Marice 
McCaugherty" objectClass memberOf memberURL
dn: cn=Marice McCaugherty,ou=Product Testing,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: groupOfURLs
memberURL: ldap:///dc=example,dc=com??sub?(member=cn=Marice 
McCaugherty,ou=Pro
 duct Testing,dc=example,dc=com)
memberOf: cn=testgroup,ou=Group,dc=example,dc=com
memberOf: cn=alttestgroup,ou=Group,dc=example,dc=com
Doing it this way means that people currently using memberOf wouldn't need 
to change how group management is done.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
http://www.symas.com