[Issue 9805] New: member attributes managed by autogroup are lost when user attributes are adjusted
https://bugs.openldap.org/show_bug.cgi?id=9805
Issue ID: 9805 Summary: member attributes managed by autogroup are lost when user attributes are adjusted Product: OpenLDAP Version: 2.4.59 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: contrib Assignee: bugs@openldap.org Reporter: michael.bobzin@baloise.ch Target Milestone: ---
Hello OpenLDAP Team,
we use nested groups in our OpenLDAP directory. User X is a member of group A. Group A is a member of group B. User X is therefore also a member of group B.
To be able to find out all groups of user X with only one LDAP query we use the dynlist overlay together with the autogroup overlay.
Group B is a dynamic group whose member attributes are set with autogroup, to allow a search for members.
ldapsearch .. -s sub -b "ou=groups,dc=basler,dc=ch" "(member=cn=userx,ou=users,dc=basler,dc=ch)" dn
Result:
cn=groupA,ou=groups,dc=basler,dc=ch cn=groupB,ou=groups,dc=basler,dc=ch
----- Gruppe A ---------------------------------------------------------- dn: cn=groupA,ou=groups,dc=basler,dc=ch cn: groupA objectClass: top objectClass: groupOfNames
member:cn=userX,ou=users,dc=basler,dc=ch
----- Gruppe B ---------------------------------------------------------- dn: cn=groupB,ou=groups,dc=basler,dc=ch cn: groupB objectClass: top objectClass: groupOfURLs
memberURL: ldap:///ou=groups,dc=basler,dc=ch?member?one?(cn=groupA) # managed by autogroup member:cn=userX,ou=users,dc=basler,dc=ch ----------------------------------------------------------------------- This works until any attribute in the userX object is changed. The member attribute for userX created dynamically by autogroup is then deleted from groupB although userX is still a member of groupA and is therefore matched with the search in the memberURL attribute of groupB matched.
The expected behaviour would be that the member attribute in groupB remains unchanged.
----------- configuration -------------------------- OpenLDAP 2.4.59 from https://www.ltb-project.org/download.html
--------------- slapd.conf ------------------------- ... moduleload dynlist moduleload autogroup.so ... include /usr/local/openldap/etc/openldap/local-schema/dyngroup.schema ... overlay dynlist dynlist-attrset groupOfURLs memberURL
overlay autogroup autogroup-attrset groupOfURLs memberURL member
https://bugs.openldap.org/show_bug.cgi?id=9805
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |WONTFIX Keywords|needs_review |
--- Comment #1 from Howard Chu hyc@openldap.org --- OpenLDAP 2.4 is no longer supported.
slapo-dynlist in OpenLDAP 2.5 supports nested groups, so there's no need to use autogroup at all.
https://bugs.openldap.org/show_bug.cgi?id=9805
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
https://bugs.openldap.org/show_bug.cgi?id=9805
--- Comment #2 from michael.bobzin@baloise.ch --- (In reply to Howard Chu from comment #1)
OpenLDAP 2.4 is no longer supported.
slapo-dynlist in OpenLDAP 2.5 supports nested groups, so there's no need to use autogroup at all.
Hello Howard,
thanks for the quick reply.
But I am not sure if the dynlist overlay alone is sufficient for our UseCase. Queries like this
ldapsearch .. -s sub -b "ou=groups,dc=basler,dc=ch" "(cn=groupB)" member
work well. All dynamically generated members are returned.
But the query
ldapsearch .. -s sub -b "ou=groups,dc=basler,dc=ch" "(member=cn=userx,ou=users,dc=basler,dc=ch)" dn
only worked (groupB was also returned as a hit), after we added the autogroup overlay. For this query, it seems to be important that the member attribute for userX is managed by autogroup in groupB. The members found dynamically by dynlist do not seem to work for this search.
Therefore, it is important for us to know why autogroup, when making adjustments to the attributes of userX deletes the member entry in groupB and what we can do to prevent it.
But we will first upgrade to 2.5 and repeat the test.
Regards Michael
https://bugs.openldap.org/show_bug.cgi?id=9805
--- Comment #3 from Quanah Gibson-Mount quanah@openldap.org --- (In reply to michael.bobzin from comment #2)
But we will first upgrade to 2.5 and repeat the test.
As Howard noted, dynlist functionality was significantly expanded in OpenLDAP 2.5. That's why the upgrade was suggested. Testing behavior with 2.4 dynlist is not relevant.
https://bugs.openldap.org/show_bug.cgi?id=9805
michael.bobzin@baloise.ch changed:
What |Removed |Added ---------------------------------------------------------------------------- Version|2.4.59 |2.5.11
--- Comment #4 from michael.bobzin@baloise.ch --- (In reply to Quanah Gibson-Mount from comment #3)
(In reply to michael.bobzin from comment #2)
But we will first upgrade to 2.5 and repeat the test.
As Howard noted, dynlist functionality was significantly expanded in OpenLDAP 2.5. That's why the upgrade was suggested. Testing behavior with 2.4 dynlist is not relevant.
Hello Quanah, After upgrading our DEV OpenLDAP server to 2.5.11, we repeated the test. What I also learned is that the autogroup overlay is independent of the dynlist overlay. The autogroup overlay only uses attributes from the dynlist schema and relies on them, that the module dynlist or memberof is loaded, otherwise slapd won't start and will give the following error message: autogroup_db_open: unable to find attribute="memberOf": attribute type undefined (17)
We first repeated the test with the following settings. --------------- slapd.conf ------------------------- ... include /path/to/dyngroup.schema # ... moduleload /path/to/autogroup.so moduleload /path/to/memberof.so # ... database <database> # ... overlay autogroup autogroup-attrset groupOfURLs memberURL member
--------------------------------------------------- The result was the same. The search
ldapsearch .. -s sub -b "ou=groups,dc=basler,dc=ch" "(member=cn=userx,ou=users,dc=basler,dc=ch)" dn
works until you make adjustments to the attributes of the userx.
In a second test we then used only the dynlist overlay
--------------- slapd.conf ------------------------- include /path/to/dyngroup.schema # ... moduleload dynlist # ... database <database> # ... overlay dynlist dynlist-attrset groupOfURLs memberURL
----------------------------------------------------
The search works now with the dynlist overlay but is very slow for our use case (several dynamic groups with 5000+ members).
The solution with member attributes maintained by autogroup would therefore be the better solution for our use case, since the members in this case don't have to be determined dynamically.
Do you see a reason why autogroup deletes the member entries for this user after adjustments to the attributes of userx? If the criterion for autogroup is the search defined in the memberURL, only mutation events for the member attribute of groupA should be relevant and not mutations to the user attributes.
Thank you for your patience and best regards Michael
-
openldap-its@openldap.org