Hello list.
I'm an happy users of dynlist overlay, in order to make my unix users members of their unix primary group:
# admins, groups, msr-inria.inria.fr dn: cn=admins,ou=groups,dc=msr-inria,dc=inria,dc=fr objectClass: groupOfURLs objectClass: posixGroup gidNumber: 5000 memberURL: ldap:///ou=users,dc=msr-inria,dc=inria,dc=fr??sub?(gidNumber=5000) cn: admins
With this configuration: # dynamic groups overlay dynlist dynlist-attrset groupOfURLs memberURL member
However, I'm facing two issues here.
The first is that dynlist overlay only accept a single configuration directive for the whole base, preventing to map differently the request URL depending on the context. In my previous example, I need to map the URL as DN, because I'm dynamically building a group from users. If I wanted to build a group from other group, my URL would have been something as: ldap:///ou=group,dc=msr-inria,dc=inria,dc=fr?member?sub?(cn=users)
and the configuration directive would have been instead dynlist-attrset groupOfURLs memberURL
It would be nice to handle the overlay differently there.
The second directive is that ACLs seems to ignore this dynamic group: # admins access to dn.subtree="dc=msr-inria,dc=inria,dc=fr" by group="cn=admins,ou=groups,dc=msr-inria,dc=inria,dc=fr" write by * break
This worked with a static group, it doesn't work anymore with a dynamic one as I just presented.
I'm using OpenLDAP 2.4.11. Should I open ITS for those issues ?
Guillaume Rousse wrote:
Hello list.
I'm an happy users of dynlist overlay, in order to make my unix users members of their unix primary group:
# admins, groups, msr-inria.inria.fr dn: cn=admins,ou=groups,dc=msr-inria,dc=inria,dc=fr objectClass: groupOfURLs objectClass: posixGroup gidNumber: 5000 memberURL: ldap:///ou=users,dc=msr-inria,dc=inria,dc=fr??sub?(gidNumber=5000) cn: admins
With this configuration: # dynamic groups overlay dynlist dynlist-attrset groupOfURLs memberURL member
However, I'm facing two issues here.
The first is that dynlist overlay only accept a single configuration directive for the whole base, preventing to map differently the request URL depending on the context. In my previous example, I need to map the URL as DN, because I'm dynamically building a group from users. If I wanted to build a group from other group, my URL would have been something as: ldap:///ou=group,dc=msr-inria,dc=inria,dc=fr?member?sub?(cn=users)
and the configuration directive would have been instead dynlist-attrset groupOfURLs memberURL
It would be nice to handle the overlay differently there.
The second directive is that ACLs seems to ignore this dynamic group: # admins access to dn.subtree="dc=msr-inria,dc=inria,dc=fr" by group="cn=admins,ou=groups,dc=msr-inria,dc=inria,dc=fr" write by * break
Try
access to dn.subtree="dc=msr-inria,dc=inria,dc=fr" by group/groupOfURLs/memberURL="cn=admins,ou=groups,dc=msr-inria,dc=inria,dc=fr" write by * break
(please excuse any unintended line wrapping).
This worked with a static group, it doesn't work anymore with a dynamic one as I just presented.
I'm using OpenLDAP 2.4.11. Should I open ITS for those issues ?
Issue #2 should be fixed by the above rule. I suggest you file a request for enhancement for issue #1, consisting in adding an (optional) URI to each dynlist-attrset that allows to restrict the application of the attrset to selected dynamic group entries matching the base, scope and filter of the URI (if present).
The configuration would become something like
dynlist-attrset <group-oc> <URL-ad> [ ldap:///base??scope?filter ] [[<mapped-ad>:]<member-ad> ...]
and, in your case, you would need something like
overlay dynlist dynlist-attrset groupOfURLs memberURL ldap:///cn=admins,ou=groups,dc=msr-inria,dc=inria,dc=fr??base member dynlist-attrset groupOfURLs memberURL ldap:///cn=users,ou=groups,dc=msr-inria,dc=inria,dc=fr??base
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
Pierangelo Masarati a écrit :
The second directive is that ACLs seems to ignore this dynamic group: # admins access to dn.subtree="dc=msr-inria,dc=inria,dc=fr" by group="cn=admins,ou=groups,dc=msr-inria,dc=inria,dc=fr" write by * break
Try
access to dn.subtree="dc=msr-inria,dc=inria,dc=fr" by group/groupOfURLs/memberURL="cn=admins,ou=groups,dc=msr-inria,dc=inria,dc=fr" write by * break
(please excuse any unintended line wrapping).
Indeed, many thanks.
Guillaume Rousse wrote:
Pierangelo Masarati a écrit :
The second directive is that ACLs seems to ignore this dynamic group: # admins access to dn.subtree="dc=msr-inria,dc=inria,dc=fr" by group="cn=admins,ou=groups,dc=msr-inria,dc=inria,dc=fr" write by * break
Try
access to dn.subtree="dc=msr-inria,dc=inria,dc=fr" by group/groupOfURLs/memberURL="cn=admins,ou=groups,dc=msr-inria,dc=inria,dc=fr" write by * break
(please excuse any unintended line wrapping).
Indeed, many thanks.
This is an often overlooked requirement of groups that use group objectClass and member attribute other than groupOfNames and member. Probably a note should be added to slapo-dynlist(5) man page and somewhere else as appropriate.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
openldap-software@openldap.org
-
Guillaume Rousse -
Pierangelo Masarati