12:04 a.m.
https://bugs.openldap.org/show_bug.cgi?id=9805
Issue ID: 9805
Summary: member attributes managed by autogroup are lost when
user attributes are adjusted
Product: OpenLDAP
Version: 2.4.59
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: contrib
Assignee: bugs(a)openldap.org
Reporter: michael.bobzin(a)baloise.ch
Target Milestone: ---
Hello OpenLDAP Team,
we use nested groups in our OpenLDAP directory.
User X is a member of group A.
Group A is a member of group B.
User X is therefore also a member of group B.
To be able to find out all groups of user X with only one LDAP query
we use the dynlist overlay together with the autogroup overlay.
Group B is a dynamic group whose member attributes are set with autogroup,
to allow a search for members.
ldapsearch .. -s sub -b "ou=groups,dc=basler,dc=ch"
"(member=cn=userx,ou=users,dc=basler,dc=ch)" dn
Result:
cn=groupA,ou=groups,dc=basler,dc=ch
cn=groupB,ou=groups,dc=basler,dc=ch
----- Gruppe A ----------------------------------------------------------
dn: cn=groupA,ou=groups,dc=basler,dc=ch
cn: groupA
objectClass: top
objectClass: groupOfNames
member:cn=userX,ou=users,dc=basler,dc=ch
----- Gruppe B ----------------------------------------------------------
dn: cn=groupB,ou=groups,dc=basler,dc=ch
cn: groupB
objectClass: top
objectClass: groupOfURLs
memberURL: ldap:///ou=groups,dc=basler,dc=ch?member?one?(cn=groupA)
# managed by autogroup
member:cn=userX,ou=users,dc=basler,dc=ch
-----------------------------------------------------------------------
This works until any attribute in the userX object is changed.
The member attribute for userX created dynamically by autogroup is then deleted
from groupB although userX is still a member of groupA and is therefore matched
with the search in the memberURL attribute of groupB matched.
The expected behaviour would be that the member attribute in groupB remains
unchanged.
----------- configuration --------------------------
OpenLDAP 2.4.59 from https://www.ltb-project.org/download.html
--------------- slapd.conf -------------------------
...
moduleload dynlist
moduleload autogroup.so
...
include /usr/local/openldap/etc/openldap/local-schema/dyngroup.schema
...
overlay dynlist
dynlist-attrset groupOfURLs memberURL
overlay autogroup
autogroup-attrset groupOfURLs memberURL member
--
You are receiving this mail because:
You are on the CC list for the issue.
8:48 a.m.
New subject: [Issue 9805] member attributes managed by autogroup are lost when user attributes are adjusted
https://bugs.openldap.org/show_bug.cgi?id=9805
Howard Chu <hyc(a)openldap.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Resolution|--- |WONTFIX
Keywords|needs_review |
--- Comment #1 from Howard Chu <hyc(a)openldap.org> ---
OpenLDAP 2.4 is no longer supported.
slapo-dynlist in OpenLDAP 2.5 supports nested groups, so there's no need to use
autogroup at all.
--
You are receiving this mail because:
You are on the CC list for the issue.
8:53 a.m.
New subject: [Issue 9805] member attributes managed by autogroup are lost when user attributes are adjusted
https://bugs.openldap.org/show_bug.cgi?id=9805
Quanah Gibson-Mount <quanah(a)openldap.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |VERIFIED
--
You are receiving this mail because:
You are on the CC list for the issue.
12:19 a.m.
New subject: [Issue 9805] member attributes managed by autogroup are lost when user attributes are adjusted
https://bugs.openldap.org/show_bug.cgi?id=9805
--- Comment #2 from michael.bobzin(a)baloise.ch ---
(In reply to Howard Chu from comment #1)
OpenLDAP 2.4 is no longer supported.
slapo-dynlist in OpenLDAP 2.5 supports nested groups, so there's no need to
use autogroup at all.
Hello Howard,
thanks for the quick reply.
But I am not sure if the dynlist overlay alone is sufficient for our UseCase.
Queries like this
ldapsearch .. -s sub -b "ou=groups,dc=basler,dc=ch" "(cn=groupB)"
member
work well. All dynamically generated members are returned.
But the query
ldapsearch .. -s sub -b "ou=groups,dc=basler,dc=ch"
"(member=cn=userx,ou=users,dc=basler,dc=ch)" dn
only worked (groupB was also returned as a hit),
after we added the autogroup overlay.
For this query, it seems to be important that the member attribute for userX is
managed by autogroup in groupB. The members found dynamically by dynlist do not
seem to work for this search.
Therefore, it is important for us to know why autogroup, when making
adjustments to the attributes of userX deletes the member entry in groupB and
what we can do to prevent it.
But we will first upgrade to 2.5 and repeat the test.
Regards
Michael
--
You are receiving this mail because:
You are on the CC list for the issue.
7:07 a.m.
New subject: [Issue 9805] member attributes managed by autogroup are lost when user attributes are adjusted
https://bugs.openldap.org/show_bug.cgi?id=9805
--- Comment #3 from Quanah Gibson-Mount <quanah(a)openldap.org> ---
(In reply to michael.bobzin from comment #2)
But we will first upgrade to 2.5 and repeat the test.
As Howard noted, dynlist functionality was significantly expanded in OpenLDAP
2.5. That's why the upgrade was suggested. Testing behavior with 2.4 dynlist
is not relevant.
--
You are receiving this mail because:
You are on the CC list for the issue.
8:43 a.m.
New subject: [Issue 9805] member attributes managed by autogroup are lost when user attributes are adjusted
https://bugs.openldap.org/show_bug.cgi?id=9805
michael.bobzin(a)baloise.ch changed:
What |Removed |Added
----------------------------------------------------------------------------
Version|2.4.59 |2.5.11
--- Comment #4 from michael.bobzin(a)baloise.ch ---
(In reply to Quanah Gibson-Mount from comment #3)
(In reply to michael.bobzin from comment #2)
> But we will first upgrade to 2.5 and repeat the test.
As Howard noted, dynlist functionality was significantly expanded in
OpenLDAP 2.5. That's why the upgrade was suggested. Testing behavior with
2.4 dynlist is not relevant.
Hello Quanah,
After upgrading our DEV OpenLDAP server to 2.5.11, we repeated the test.
What I also learned is that the autogroup overlay is independent of the dynlist
overlay.
The autogroup overlay only uses attributes from the dynlist schema and relies
on them,
that the module dynlist or memberof is loaded, otherwise slapd won't start and
will give the
following error message:
autogroup_db_open: unable to find attribute="memberOf": attribute type
undefined (17)
We first repeated the test with the following settings.
--------------- slapd.conf -------------------------
...
include /path/to/dyngroup.schema
# ...
moduleload /path/to/autogroup.so
moduleload /path/to/memberof.so
# ...
database <database>
# ...
overlay autogroup
autogroup-attrset groupOfURLs memberURL member
---------------------------------------------------
The result was the same.
The search
ldapsearch .. -s sub -b "ou=groups,dc=basler,dc=ch"
"(member=cn=userx,ou=users,dc=basler,dc=ch)" dn
works until you make adjustments to the attributes of the userx.
In a second test we then used only the dynlist overlay
--------------- slapd.conf -------------------------
include /path/to/dyngroup.schema
# ...
moduleload dynlist
# ...
database <database>
# ...
overlay dynlist
dynlist-attrset groupOfURLs memberURL
----------------------------------------------------
The search works now with the dynlist overlay but is very slow for our use case
(several dynamic groups with 5000+ members).
The solution with member attributes maintained by autogroup would therefore be
the better solution for our use case, since the members in this case don't have
to be determined dynamically.
Do you see a reason why autogroup deletes the member entries for this user
after adjustments to the attributes of userx? If the criterion for autogroup is
the search defined in the memberURL, only mutation events for the member
attribute of groupA should be relevant and not mutations to the user
attributes.
Thank you for your patience and best regards
Michael
--
You are receiving this mail because:
You are on the CC list for the issue.
640
days inactive
641
days old
5 comments
1 participants
participants (1)
-
openldap-its@openldap.org