Am Montag 08 Dezember 2008 schrieb Pierangelo Masarati:
Wilhelm Meier wrote:
What version?
2.4.11
There have been at least two fixes to slapo-dynlist since 2.4.11. Please check whether your issue has already been addressed.
openldap Version 2.4.13
The definition:
slapd.conf: overlay dynlist dynlist-attrset groupOfURLs memberURL member
The record: ldapsearch -x -LLL -M '(&(cn=ab37) (member=uid=jedeh,ou=LEHRER,o=SCHULE,dc=schule,dc=xx))' member memberurl dn: cn=ab37,ou=GRUPPEN,o=SCHULE,dc=schule,dc=xx memberURL: ldap:///dc=schule,dc=xx??sub?(&(gidNumber=101)(sambasid=*)) member: uid=jedeh,ou=LEHRER,o=SCHULE,dc=schule,dc=xx
SUCCESS: simple search ldapsearch -x -LLL cn=ab37 memberurl member dn: cn=ab37,ou=GRUPPEN,o=SCHULE,dc=schule,dc=xx memberURL: ldap:///dc=schule,dc=xx??sub?(&(gidNumber=101)(sambasid=*)) member: uid=jedeh,ou=LEHRER,o=SCHULE,dc=schule,dc=xx member: uid=schlotter,ou=LEHRER,o=SCHULE,dc=schule,dc=xx
SUCCESS: The search on a static attribute: ldapsearch -x -LLL '(&(cn=ab37) (member=uid=jedeh,ou=LEHRER,o=SCHULE,dc=schule,dc=xx))' member memberurl dn: cn=ab37,ou=GRUPPEN,o=SCHULE,dc=schule,dc=xx memberURL: ldap:///dc=schule,dc=xx??sub?(&(gidNumber=101)(sambasid=*)) member: uid=jedeh,ou=LEHRER,o=SCHULE,dc=schule,dc=xx member: uid=schlotter,ou=LEHRER,o=SCHULE,dc=schule,dc=xx
SUCCESS: The compare on a dynamic attribute: ldapcompare -x cn=ab37,ou=GRUPPEN,o=SCHULE,dc=schule,dc=xx member:uid=schlotter,ou=LEHRER,o=SCHULE,dc=schule,dc=xx TRUE
FAIL: The search on a dynamic attribute: ldapsearch -x -LLL '(&(cn=ab37) (member=uid=schlotter,ou=LEHRER,o=SCHULE,dc=schule,dc=xx))' member memberurl
Even if there is no static member attribute, the result is the same. dynlist works only partial.
It is not possible to search for and find a dynamicly generated attribute.
And this is the reason, why the command "id" will not enumerate group membership correctly.
FAIL: The search on a dynamic attribute: ldapsearch -x -LLL '(&(cn=ab37) (member=uid=schlotter,ou=LEHRER,o=SCHULE,dc=schule,dc=xx))' member memberurl
Even if there is no static member attribute, the result is the same. dynlist works only partial.
It is not possible to search for and find a dynamicly generated attribute.
And this is the reason, why the command "id" will not enumerate group
membership correctly.
slapo-dynlist is working as intended. You can't filter on a dynamically gathered value, as dynamic values are gathered **after** the search is performed. This is clearly described in the documentation. It's not a limitation: you're simply misusing that piece of software. Now you'll probably come out with an explanation as per why slapo-dynlist is almost useless because of this missing capability, and all in all it shouldn't be so difficult to overcome. I just want to note that this discussion already took place many times on this list and, yes, it is not trivial to implement this feature in an efficient manner, that's why it was not considered from the beginning. Of course, technology evolves, and if you can come up with an efficient solution and contribute it to the project, it'll always be welcome.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
Hi, one last question.
What is the technical reason, that a compare alone works and a compare in a search filter fails?
SUCCESS: The compare on a dynamic attribute: ldapcompare -x cn=ab37,ou=GRUPPEN,o=SCHULE,dc=schule,dc=xx member:uid=schlotter,ou=LEHRER,o=SCHULE,dc=schule,dc=xx TRUE
FAIL: The search on a dynamic attribute: ldapsearch -x -LLL '(&(cn=ab37) (member=uid=schlotter,ou=LEHRER,o=SCHULE,dc=schule,dc=xx))' member memberurl
Harry Jede wrote:
Hi, one last question.
What is the technical reason, that a compare alone works and a compare in a search filter fails?
Compares for member DN work because the overlay is used the other way round, namely entries belonging to the subtree specification represented by each URL are looked up until a match is found. This is explicitly intended to support dynamic group membership checking the right way.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
openldap-software@openldap.org