Howard, hello.
On 7 Feb 2024, at 19:36, Howard Chu wrote:
If I then make a query which has a few results, I do not get this limit imposed, and instead see in the logs
65c3ce83.0f52bea8 0x16e9d3000 => mdb_entry_get: found entry:
"cn=ldap-operators,ou=groups,o=example"
65c3ce83.0f533f90 0x16e9d3000 <= mdb_entry_get: failed to find attribute member
And those logs are correct, the group entry you specified has no member attribute. What it has is a memberURL attribute, and that's what you should have configured in your olcLimits statement.
Aha. I had taken the description to refer to the synthesised 'member' attributes in the dynamically generated group. Thanks for this.
On changing this, though, to
olcLimits: group/groupOfURLs/memberURL="cn=ldap-operators,ou=groups,o=example" size=2
and making a query, I now see in the logs (with -d-1):
65c3df21.21fa70c8 0x16cacf000 ==> limits_get: conn=1000 op=1 self="uid=norman,ou=staff,o=example" this="o=example" 65c3df21.21fa97d8 0x16cacf000 => mdb_entry_get: ndn: "cn=ldap-operators,ou=groups,o=example" 65c3df21.21fab718 0x16cacf000 => mdb_entry_get: oc: "groupOfURLs", at: "memberURL" 65c3df21.21fb1ca8 0x16cacf000 mdb_dn2entry("cn=ldap-operators,ou=groups,o=example") 65c3df21.21fb4b88 0x16cacf000 => mdb_dn2id("cn=ldap-operators,ou=groups,o=example") 65c3df21.21fb8a08 0x16cacf000 <= mdb_dn2id: got id=0x2857 65c3df21.21fbb8e8 0x16cacf000 => mdb_entry_decode: 65c3df21.21fbd440 0x16cacf000 <= mdb_entry_decode 65c3df21.21fbef98 0x16cacf000 => mdb_entry_get: found entry: "cn=ldap-operators,ou=groups,o=example" 65c3df21.21fc0ed8 0x16cacf000 mdb_entry_get: rc=0 65c3df21.21fc2a30 0x16cacf000 ldap_url_parse_ext(ldap:///ou=groups,o=example?member?sub?(|(cn=ldap-admins-*)(cn=ldap-techs))) 65c3df21.21fc7c38 0x16cacf000 => mdb_search 65c3df21.21fcb6d0 0x16cacf000 mdb_dn2entry("o=example") 65c3df21.21fcd9f8 0x16cacf000 => mdb_dn2id("o=example") 65c3df21.21fcf938 0x16cacf000 <= mdb_dn2id: got id=0x1 65c3df21.21fd1490 0x16cacf000 => mdb_entry_decode: 65c3df21.21fd2fe8 0x16cacf000 <= mdb_entry_decode 65c3df21.21fd4b40 0x16cacf000 => access_allowed: search access to "o=example" "entry" requested
There's no mention of 'limits' after this point in the log.
Thus it's finding the right entry and attribute, and parsing the URL therein, but it's not clear what it's concluding. When a search is performed as a user who is included in the synthesised cn=ldap-operators (confirmed by a search for that group), the query results are not limited to 2 objects.
That 2-object limit is what I see in the corresponding configuration when ldap-operators is a groupOfNames with explicit member attributes:
65c3e6ae.1da1a5c8 0x16e80b000 ==> limits_get: conn=1000 op=1 self="uid=norman,ou=staff,o=example" this="o=example" 65c3e6ae.1da1c8f0 0x16e80b000 => mdb_entry_get: ndn: "cn=ldap-operators,ou=groups,o=example" 65c3e6ae.1da1e060 0x16e80b000 => mdb_entry_get: oc: "groupOfNames", at: "member" 65c3e6ae.1da226b0 0x16e80b000 mdb_dn2entry("cn=ldap-operators,ou=groups,o=example") 65c3e6ae.1da24dc0 0x16e80b000 => mdb_dn2id("cn=ldap-operators,ou=groups,o=example") 65c3e6ae.1da28088 0x16e80b000 <= mdb_dn2id: got id=0x2857 65c3e6ae.1da2ab80 0x16e80b000 => mdb_entry_decode: 65c3e6ae.1da2c6d8 0x16e80b000 <= mdb_entry_decode 65c3e6ae.1da2de48 0x16e80b000 => mdb_entry_get: found entry: "cn=ldap-operators,ou=groups,o=example" 65c3e6ae.1da2fd88 0x16e80b000 mdb_entry_get: rc=0 65c3e6ae.1da31cc8 0x16e80b000 dnMatch 0 "uid=norman,ou=staff,o=example" "uid=norman,ou=staff,o=example" 65c3e6ae.1da33c08 0x16e80b000 <== limits_get: type=GROUP match=EXACT dn="cn=ldap-operators,ou=groups,o=example" oc="groupOfNames" ad="member" 65c3e6ae.1da36700 0x16e80b000 => mdb_search 65c3e6ae.1da3bcf0 0x16e80b000 mdb_dn2entry("o=example") 65c3e6ae.1da3e018 0x16e80b000 => mdb_dn2id("o=example") 65c3e6ae.1da3fb70 0x16e80b000 <= mdb_dn2id: got id=0x1 65c3e6ae.1da41ab0 0x16e80b000 => mdb_entry_decode: 65c3e6ae.1da43220 0x16e80b000 <= mdb_entry_decode 65c3e6ae.1da44d78 0x16e80b000 => access_allowed: search access to "o=example" "entry" requested
(interestingly, the string 'limit' doesn't subsequently appear in this -d-1 log, either)
So I'm afraid I'm still puzzled.
Norman