On 10/21/2021 6:06 PM, Howard Chu wrote:
Then this is probably dynlist searching for objectclass=cppEduPerson.
You should change this configuration to use 2.5 dynlist's memberOf support.
I must have missed that, I wasn't aware of any new specific memberOf support in dynlist? I don't see anything mentioning that in the administration guide:
https://www.openldap.org/doc/admin25/guide.html#Dynamic%20Lists
I did find a reference to it in a release announcement:
https://www.openldap.org/software/release/announce.html
"dynlist can now generate (is)memberOf dynamically"
but it had no specifics as to how that was configured or what it did?
Ah, I see there is a mention of it in the man page, but sadly I don't quite understand it.
dynlist-attrset <group-oc> [<URI>] <URL-ad> [[<mapped-ad>:]<member-ad>[+<memberOf-ad[@<static-oc>[*]] ...]
The value group-oc is the name of the objectClass that triggers the dynamic expansion of the data.
The optional URI restricts expansion only to entries matching the DN, the scope and the filter portions of the URI.
The value URL-ad is the name of the attributeDescription that contains the URI that is expanded by the overlay; if none is present, no expansion occurs. If the intersection of the attributes requested by the search operation (or the asserted attribute for compares) and the attributes listed in the URI is empty, no expansion occurs for that specific URI. It must be a subtype of labeledURI.
The value member-ad is optional; if present, the overlay behaves as a dynamic group: this attribute will list the DN of the entries resulting from the internal search. In this case, the attrs portion of the URIs in the URL-ad attribute must be absent, and the DNs of all the entries resulting from the expansion of the URIs are listed as values of this attribute. Compares that assert the value of the member-ad attribute of entries with group-oc objectClass apply as if the DN of the entries resulting from the expansion of the URI were present in the group-oc entry as values of the member-ad attribute. If the optional memberOf-ad attribute is also specified, then it will be populated with the DNs of the dynamic groups that an entry is a member of. If the optional static-oc objectClass is also specified, then the memberOf attribute will also be populated with the DNs of the static groups that an entry is a member of.
It appears it still needs an object class to trigger it? And in my case, that object class would still be cppEduPerson? (IE, only trigger this dynamic expansion on objects that have that object class?) Right now my configuration again is:
dynlist-attrset cppEduPerson memberURL memberOf
My understanding of which says that for any search which returns an object of the object class "cppEduPerson", perform the search as indicated in the attribute "memberURL", which for me is:
memberURL: ldap:///dc=cpp,dc=edu??sub?(memberUid=henson)
and shove all the DN's that result from that search in the memberOf attribute. What exactly am I supposed to do differently to avail of this new support? And how would it remove the need for the reference to the cppEduPerson object class?
Indexing is not broken.
There was a question mark in my subject line, I was just guessing :). It is still though definitely a difference in behavior between 2.4 and 2.5, and I'm not understanding why? I don't see any mention of dynlist or memberOf in the upgrade guide:
https://www.openldap.org/doc/admin25/guide.html#Upgrading%20from%202.4.x
Is my current configuration under 2.4 "broken but happens to work"?
Thanks…