quanah@stanford.edu wrote:
--On Friday, February 02, 2007 8:26 PM +0000 quanah@stanford.edu wrote:
Full_Name: Quanah Gibson-Mount Version: 2.3.33 OS: Linux 2.6 (64-bit) URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (171.64.19.81)
In doing a base query of a dynamic group I had created, I found that the information returned when using the dynlist overlay is bogus.
And what I expected to see was something more along the lines of:
dn: cn=registry-consult,cn=groups,cn=applications,dc=stanford,dc=edu objectClass: groupOfURLs cn: registry-consult memberURL: ldap:///cn=people,dc=stanford,dc=edu??sub?(suprivilegegroup=value:value2)
One of the distinguishing features of the dynlist overlay is that it can actually __create__ a dynamic view of the listed data by collecting all values of all attributes (honoring few constraints, like all additional values of single-valued attributes get discarded; I believe in HEAD code it also avoids merging other structural objectClasses unless they fit into the hierarchy of the current structuralObjectClass). To limit this, you can use the <attrs> field of the URL, so that only the listed attrs are actually merged. Or, if you want it to behave exactly like a group, you should configure it with the <member-ad> field:
dynlist-attrset <group-oc> <URL-ad> [<member-ad>] The value <group-oc> is the name of the objectClass that trig- gers the dynamic expansion of the data.
The value <URL-ad> is the name of the attributeDescription that cointains the URI that is expanded by the overlay; if none is present, no expansion occurs. If the intersection of the attributes requested by the search operation (or the asserted attribute for compares) and the attributes listed in the URI is empty, no expansion occurs for that specific URI. It must be a subtype of labeledURI.
The value <member-ad> is optional; if present, the overlay behaves as a dynamic group: this attribute will list the DN of the entries resulting from the internal search. In this case, the <attrs> portion of the URI must be absent, and the DNs of all the entries resulting from the expansion of the URI are listed as values of this attribute. Compares that assert the value of the <member-ad> attribute of entries with <group-oc> objectClass apply as if the DN of the entries resulting from the expansion of the URI were present in the <group-oc> entry as values of the <member-ad> attribute.
To see what you expect, you need to add the manageDSAit control (I believe this is undocumented; I'll fix it in a moment).
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------
-
ando@sys-net.it