[Issue 10298] New: cannot find DN in memberOf attribute when dynlist overlay contains multiple memberOf definitions
https://bugs.openldap.org/show_bug.cgi?id=10298
Issue ID: 10298 Summary: cannot find DN in memberOf attribute when dynlist overlay contains multiple memberOf definitions Product: OpenLDAP Version: 2.5.13 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs@openldap.org Reporter: jan.pekar@imatic.cz Target Milestone: ---
I'm using dynlist to define multiple static objectClasses (static-oc) to be searched for member attributes and added to memberOf attribute.
My configuration is in cn=config, so I defined it using multiple olcDlAttrSet attributes
groupOfURLs memberURL member+memberOf@groupOfMembers* groupOfURLs memberURL member+memberOf@groupOfNames*
I noticed, that memberOf attribute contains users from both groups (groupOfMembers and groupOfNames) but I can use search operation to only first defined configuration (in above example groupOfMembers) and user membership from groupOfNames groups is not found.
Maybe it must be defined in one line but I was not able to find proper syntax. Maybe attribute must be mapped somehow but when it works for first definition, should be working for next one so it is bug?
Thank you
https://bugs.openldap.org/show_bug.cgi?id=10298
Ondřej Kuzník ondra@mistotebe.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |DUPLICATE
--- Comment #1 from Ondřej Kuzník ondra@mistotebe.net --- Hi Jan, please refer to ITS#10020 which is pending a documentation change to make this limitation clearer.
*** This issue has been marked as a duplicate of issue 10020 ***
https://bugs.openldap.org/show_bug.cgi?id=10298
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
https://bugs.openldap.org/show_bug.cgi?id=10298
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords|needs_review |
https://bugs.openldap.org/show_bug.cgi?id=10298
--- Comment #2 from Jan Pekar jan.pekar@imatic.cz --- Hi Ondřej,
I thing I tried something different - I associated 2 different static objectClasses - groupOfMembers and groupOfNames, but I reused the same attributes. Also my output was, that I was able to see the attributes from both static objectClasses, but only from objectClass which was defined first I was able to search (find) the member entry.
Maybe it is the same issue like in the linked one, but in that case documentation should cover also this case.
Also I have question, if the limitation of static objectClass can be somehow solved or "workarounded". I need to have 2 dynamic links from one static objectClass. Should I create new objectClass with slightly different name and associate it with the same Entry? This is inconvenient for users/administrators.
This is great overlay and with this feature will be much better for other use-cases.
https://bugs.openldap.org/show_bug.cgi?id=10298
--- Comment #3 from Jan Pekar jan.pekar@imatic.cz --- One additional comment to "workaround" I found.
In the target objectClass I can create dynamic group - so define memberURL that will lookup all entries, that references me (my target objectClass).
The only inconvenience is, that in the memberURL I need to filter target DN (my entry itself). It would be nice that I can use some replacement variable (something like %self%) so I can define memberURL like
memberURL: ldap:///ou=someou,dc=example,dc=com??sub?(myAttr=%self%)
and this %self% will be always replaced with DN of the entry, which contains this memberURL definition so I can list attributes (or list DNs) from entries, that points to this entry (points to myself).
Thank you
-
openldap-its@openldap.org