Norman Gray wrote:
Howard, hello.
On 8 Feb 2024, at 15:07, Howard Chu wrote:
Norman Gray wrote:
Howard, hello.
On 8 Feb 2024, at 0:34, Howard Chu wrote:
65c3df21.21fc2a30 0x16cacf000 ldap_url_parse_ext(ldap:///ou=groups,o=example?member?sub?(|(cn=ldap-admins-*)(cn=ldap-techs)))
The above URL is not valid for a dynamic group. The attrs portion of the URL must be empty.
Since it's invalid, after it is parsed it gets ignored.
That's true when constructing what slapo-dynlist(5) calls a dynamic group, but that's not what I'm constructing here, but instead a group entry which is dynamically expanded, to a group, by a search.
Whatever you've constructed is not a dynamic group, as defined in slapo-dynlist. As such, it is not supported for the purpose you're asking.
Indeed -- it's not a 'dynamic group' in the terms of slapo-dynlist, but it is an entry which has a set of 'member' attributes, which is dynamically constructed (whatever one wants to call this).
But I can't see that matters, since the slapd-config(5) text covering the olcLimits configuration attribute seems to clearly indicate that
olcLimits: group/groupOfURLs/member="cn=ldap-operators,ou=groups,o=example" size=2'sets the limits for any DN listed in the values of the [member] attribute of the [groupOfURLs] group whose DN exactly matches ["cn=ldap-operators,ou=groups,o=example"]' (where [...] fills in the blanks in the text there as I understand it). I can't see a way of interpreting this manpage text which doesn't match this situation. This works as expected when cn=ldap-operators is an entry which is not dynamically expanded.
It doesn't say that that group has to be a 'dynamic group in the terms of slapo-dynlist', it just says 'group'.
And slapo-dynlist says:
Any time an entry with a specific objectClass is being returned, the LDAP URI-valued occurrences of a specific attribute are expanded into the corresponding entries, and the values of the attributes listed in the URI are added to the original entry.
The text above is for a *dynamic list* - which is not a *dynamic group*. The code supports groups, not lists.