Hello all
I run openldap on a debian box :
root@nova:LdapDeb# slapd -V @(#) $OpenLDAP: slapd 2.3.30 (Mar 9 2007 09:54:28) $
buildd@caballero:/build/buildd/openldap2.3-2.3.30/debian/build/servers/slapd
root@nova:LdapDeb#
I use the dynlist overlay configurated in slapd.conf like this : overlay dynlist dynlist-attrset groupOfURLs memberURL member
The ldif entry : dn: ou=dynUsers,ou=users,ou=portal,ou=Extranet,ou=Exo,o=Eurofer,c=be objectClass: groupOfURLs cn: dynUsers ou: dynUsers memberURL: ldap:///br=Internal,o=Eurofer,c=be?dn?sub?(uid=*)
The search does not expand each member: cn=... root@nova:LdapDeb# ldapsearch -x -LLL -b "ou=dynUsers,ou=users,ou=portal,ou=Extranet,ou=Exo,o=Eurofer,c=be" -s base "memberURL=*" dn: ou=dynUsers,ou=users,ou=portal,ou=Extranet,ou=Exo,o=Eurofer,c=be objectClass: groupOfURLs cn: dynUsers ou: dynUsers memberURL: ldap:///br=Internal,o=Eurofer,c=be?dn?sub?(mail=*)
If I replace 'dn' by uid all work fine : root@nova:LdapDeb# ldapsearch -x -LLL -b "ou=dynUsers,ou=users,ou=portal,ou=Extranet,ou=Exo,o=Eurofer,c=be" -s base "memberURL=*" dn: ou=dynUsers,ou=users,ou=portal,ou=Extranet,ou=Exo,o=Eurofer,c=be objectClass: groupOfURLs cn: dynUsers ou: dynUsers memberURL: ldap:///br=Internal,o=Eurofer,c=be?uid?sub?(mail=*) uid: dominique uid: freddy uid: valerie ...
What is missing in my config ? it is not permitted to return the dn ?
Thanks in advance for your help
Guy
Guy Deleeuw wrote:
Hello all
I run openldap on a debian box :
root@nova:LdapDeb# slapd -V @(#) $OpenLDAP: slapd 2.3.30 (Mar 9 2007 09:54:28) $
buildd@caballero:/build/buildd/openldap2.3-2.3.30/debian/build/servers/slapd
root@nova:LdapDeb#
I use the dynlist overlay configurated in slapd.conf like this : overlay dynlist dynlist-attrset groupOfURLs memberURL member
The ldif entry : dn: ou=dynUsers,ou=users,ou=portal,ou=Extranet,ou=Exo,o=Eurofer,c=be objectClass: groupOfURLs cn: dynUsers ou: dynUsers memberURL: ldap:///br=Internal,o=Eurofer,c=be?dn?sub?(uid=*)
The search does not expand each member: cn=... root@nova:LdapDeb# ldapsearch -x -LLL -b "ou=dynUsers,ou=users,ou=portal,ou=Extranet,ou=Exo,o=Eurofer,c=be" -s base "memberURL=*" dn: ou=dynUsers,ou=users,ou=portal,ou=Extranet,ou=Exo,o=Eurofer,c=be objectClass: groupOfURLs cn: dynUsers ou: dynUsers memberURL: ldap:///br=Internal,o=Eurofer,c=be?dn?sub?(mail=*)
If I replace 'dn' by uid all work fine : root@nova:LdapDeb# ldapsearch -x -LLL -b "ou=dynUsers,ou=users,ou=portal,ou=Extranet,ou=Exo,o=Eurofer,c=be" -s base "memberURL=*" dn: ou=dynUsers,ou=users,ou=portal,ou=Extranet,ou=Exo,o=Eurofer,c=be objectClass: groupOfURLs cn: dynUsers ou: dynUsers memberURL: ldap:///br=Internal,o=Eurofer,c=be?uid?sub?(mail=*) uid: dominique uid: freddy uid: valerie ...
What is missing in my config ? it is not permitted to return the dn ?
"dn" is not a valid attribute type. You need to specify "entryDN" (RFC 5020).
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Hello,
Many thanks for your respons.
"dn" is not a valid attribute type. You need to specify "entryDN" (RFC 5020).
p.
But no changes with : ldap:///br=Internal,o=Eurofer,c=be?entryDN?sub?(uid=*)
root@nova:~# ldapsearch -x -LLL -b "ou=dynUsers,ou=users,ou=portal,ou=Extranet,ou=Exo,o=Eurofer,c=be" -s base "memberURL=*" dn: ou=dynUsers,ou=users,ou=portal,ou=Extranet,ou=Exo,o=Eurofer,c=be objectClass: groupOfURLs cn: dynUsers ou: dynUsers memberURL: ldap:///br=Internal,o=Eurofer,c=be?entryDN?sub?(uid=*)
root@nova:~#
Regards
Guy
Guy Deleeuw wrote:
Hello,
Many thanks for your respons.
"dn" is not a valid attribute type. You need to specify "entryDN" (RFC 5020).
p.
But no changes with : ldap:///br=Internal,o=Eurofer,c=be?entryDN?sub?(uid=*)
root@nova:~# ldapsearch -x -LLL -b "ou=dynUsers,ou=users,ou=portal,ou=Extranet,ou=Exo,o=Eurofer,c=be" -s base "memberURL=*" dn: ou=dynUsers,ou=users,ou=portal,ou=Extranet,ou=Exo,o=Eurofer,c=be objectClass: groupOfURLs cn: dynUsers ou: dynUsers memberURL: ldap:///br=Internal,o=Eurofer,c=be?entryDN?sub?(uid=*)
I'm really missing something: you configure slapo-dynlist with
overlay dynlist dynlist-attrset groupOfURLs memberURL member
this means that the entryDN (i.e. the DN) of each entry matching the search URI should be added to the group entry as "member" (the last arg to the dynlist-attrset). Can you confirm that? I also note that since 2.3.30 there have been quite a few bug fixes in slapo-dynlist(5); can you confirm the unexpected behavior with 2.3.40?
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
I'm really missing something: you configure slapo-dynlist with
overlay dynlist dynlist-attrset groupOfURLs memberURL member
this means that the entryDN (i.e. the DN) of each entry matching the search URI should be added to the group entry as "member" (the last arg to the dynlist-attrset). Can you confirm that? I also note that since 2.3.30 there have been quite a few bug fixes in slapo-dynlist(5); can you confirm the unexpected behavior with 2.3.40?
Yes is what I need, a list of member attributes with the DN value. May be you are true I suspect also the debian version, particulary the client library. I upgrade this night and give you a follow up
Many thanks for your support
Guy
I'm really missing something: you configure slapo-dynlist with
overlay dynlist dynlist-attrset groupOfURLs memberURL member
this means that the entryDN (i.e. the DN) of each entry matching the search URI should be added to the group entry as "member" (the last
arg
to the dynlist-attrset). Can you confirm that? I also note that
since
2.3.30 there have been quite a few bug fixes in slapo-dynlist(5); can you confirm the unexpected behavior with 2.3.40?
Yes is what I need, a list of member attributes with the DN value. May be you are true I suspect also the debian version, particulary the client library. I upgrade this night and give you a follow up
Looking at the manpage, it looks like if you want to populate the member attribute with dn's, you leave the attribute in the ldap url blank. i.e.:
memberURL: ldap:///ou=People,dc=example,dc=com??sub?(objectClass=person)
not
memberURL: ldap:///ou=People,dc=example,dc=com?entryDN?sub?(objectClass=person)
"The value <member-ad> is optional; if present, the overlay behaves as a dynamic group: this attribute will list the DN of the entries resulting from the internal search. In this case, the <attrs> portion of the URI must be absent, and the DNs of all the entries resulting from the expansion of the URI are listed as values of this attribute."
Granted, I'm looking at the man page for 2.4 and you are running 2.3, but I'm assuming the behaviour hasn't changed that much between these versions (I could be wrong).
- Jeff
Clowser, Jeff (Contractor) wrote:
Looking at the manpage, it looks like if you want to populate the member attribute with dn's, you leave the attribute in the ldap url blank. i.e.:
memberURL: ldap:///ou=People,dc=example,dc=com??sub?(objectClass=person)
not
memberURL: ldap:///ou=People,dc=example,dc=com?entryDN?sub?(objectClass=person)
"The value <member-ad> is optional; if present, the overlay behaves as a dynamic group: this attribute will list the DN of the entries resulting from the internal search. In this case, the <attrs> portion of the URI must be absent, and the DNs of all the entries resulting from the expansion of the URI are listed as values of this attribute."
Granted, I'm looking at the man page for 2.4 and you are running 2.3, but I'm assuming the behaviour hasn't changed that much between these versions (I could be wrong).
Correct; but, as far as I can tell, when the "member-ad" arg is present, its population with the DN of entries matching the search occurs regardless of any attrs in the URI, which are ignored. So I really don't understand what's happening in Guy's case.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Hello,
Looking at the manpage, it looks like if you want to populate the member attribute with dn's, you leave the attribute in the ldap url blank. i.e.:
memberURL: ldap:///ou=People,dc=example,dc=com??sub?(objectClass=person)
not
memberURL: ldap:///ou=People,dc=example,dc=com?entryDN?sub?(objectClass=person)
Yes, I read the man page, except that I never search with a filter that request an objectClass, the empty attribute does not work also, I try it before my first post. Like Pierangelo suggestion, I start the upgrade this evening (if possible with testing packages or tomorrow if a local build are needed).
Regards
Guy
"The value <member-ad> is optional; if present, the overlay behaves as a dynamic group: this attribute will list the DN of the entries resulting from the internal search. In this case, the <attrs> portion of the URI must be absent, and the DNs of all the entries resulting from the expansion of the URI are listed as values of this attribute."
Granted, I'm looking at the man page for 2.4 and you are running 2.3, but I'm assuming the behaviour hasn't changed that much between these versions (I could be wrong).
- Jeff
Hello,
I just check the packages available on the debian sources. On testing : 2.3.37 On unstable : 2.3.39 But with a lots of dependencies that are not possible to upgrade now. I build my own slapd tomorrow.
Just one question, the development packages are really old on debian it is a problem for this specific subject ?
Regards
Guy
Pierangelo Masarati a écrit :
Correct; but, as far as I can tell, when the "member-ad" arg is present, its population with the DN of entries matching the search occurs regardless of any attrs in the URI, which are ignored. So I really don't understand what's happening in Guy's case.
p.
Hello,
Correct; but, as far as I can tell, when the "member-ad" arg is present, its population with the DN of entries matching the search occurs regardless of any attrs in the URI, which are ignored. So I really don't understand what's happening in Guy's case.
p.
I just try with a new version of slapd (2.3.40) but no changes. Any idea are welcome
Regards
Guy
Guy Deleeuw wrote:
I just try with a new version of slapd (2.3.40) but no changes. Any idea are welcome
$ cd tests $ ./run test044
then:
- look at testrun/slapd.1.conf, at the bottom; compare with your slapd.conf
- $ ../servers/slapd/slapd -f testrun/slapd.1.conf -h 'ldap://:9011' \ -s0 -dstats
- in another shell, $ ldapsearch -x -H ldap://:9011 -b 'dc=example,dc=com' \ '(objectClass=groupOfURLs)'
Then it's up to you to spot the differences between the expect setup and yours.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Hello Pierangelo
Thanks for your fast respons.
All work fine now, I just cut and paste the last line of yours slapd.conf into my slapd.conf, restarting the server and all are ok may be a bad character on the config file (I check and the line are identical).
Many thanks for your help
Regards
Guy
Pierangelo Masarati a écrit :
Guy Deleeuw wrote:
I just try with a new version of slapd (2.3.40) but no changes. Any idea are welcome
$ cd tests $ ./run test044
then:
look at testrun/slapd.1.conf, at the bottom; compare with your slapd.conf
$ ../servers/slapd/slapd -f testrun/slapd.1.conf -h 'ldap://:9011' \ -s0 -dstats
in another shell, $ ldapsearch -x -H ldap://:9011 -b 'dc=example,dc=com' \ '(objectClass=groupOfURLs)'
Then it's up to you to spot the differences between the expect setup and yours.
p.
openldap-software@openldap.org