dynlist (at least for me) strange behaviour

Hello Mailinglist,

for some days/weeks now, I try to figure out, how dynlist is meant to be used and how it is to be used. But it is hard for one to get in the game, who is neither familiar with openLDAP at all. :)

I tried to build the, I guess, popular 'dynamic posixgroups'. Some older ML posts helped me to build the default structure for the dynlist overlay. i.e. this one http://www.openldap.org/lists/openldap-technical/200912/msg00005.html and this http://www.openldap.org/faq/data/cache/1209.html

# getent group testgroup1:*:1011:test1,test2 testgroup2:*:1012:test1,test2

this looks good to me, as expected.

# id test1 uid=1011(test1) gid=1011(testgroup1) Gruppen=1011(testgroup1) # id test2 uid=1012(test2) gid=1012(testgroup2) Gruppen=1012(testgroup2) but this isn't what it is expected to be, too bad its not only a display problem, the permissions of testgroup1 and testgroup2 vice versa are really missing.

# id test1 uid=1011(test1) gid=1011(testgroup1) Gruppen=1011(testgroup1), 1012(testgroup2) # id test2 uid=1012(test2) gid=1012(testgroup2) Gruppen=1012(testgroup2), 1011(testgroup1) thats what I wish it would be

If I delete the Attribute labeledURI and set the memberUid for test1 and test2 by hand, everything works as expected, but it would be nice to have it dynamically managed :)

Any help, guide and/or howto is highly appreciated.

Thank you for your time reading this :)

bye, Benjamin.

--------------------------------------------------

my general config:

dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=exa mple,dc=com" write by anonymous auth by self write by * none olcAccess: {1}to * by dn="cn=admin,dc=example,dc=com" write by * read olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: cn,sn,mail pres,eq,approx,sub olcDbIndex: objectClass eq olcDbIndex: sambaSID eq olcDbIndex: sambaPrimaryGroupSID eq olcDbIndex: sambaDomainName eq olcDbIndex: default sub olcDbIndex: memberUid pres,eq olcDbIndex: uniquemember pres,eq olcDbIndex: gidnumber pres,eq olcDbIndex: uid pres,eq olcDbIndex: uidnumber pres,eq olcLastMod: TRUE olcRootDN: cn=admin,dc=example,dc=com olcRootPW: olcSuffix: dc=example,dc=com

dn: olcOverlay={0}dynlist,olcDatabase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top objectClass: olcDynamicList olcOverlay: {0}dynlist olcDlAttrSet: {0}posixGroup labeledURI memberUid:uid

dn: olcOverlay={1}ppolicy,olcDatabase={1}hdb,cn=config objectClass: olcPPolicyConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {1}ppolicy olcPPolicyDefault: cn=default,ou=Policies,dc=example,dc=com olcPPolicyHashCleartext: TRUE

my testgroups:

dn: cn=testgroup1,ou=People,ou=Groups,dc=example,dc=com objectClass: posixGroup objectClass: top objectClass: labeledURIObject cn: testgroup1 gidNumber: 1011 labeledURI: ldap:///ou=test,ou=Users,dc=example,dc=com?uid?sub?(objectClass =Posixaccount) memberUid: test1 (dynamically set) memberUid: test2 (dynamically set)

dn: cn=testgroup2,ou=People,ou=Groups,dc=example,dc=com objectClass: posixGroup objectClass: top objectClass: labeledURIObject cn: testgroup2 gidNumber: 1012 labeledURI: ldap:///ou=test,ou=Users,dc=example,dc=com?uid?sub?(objectClass =Posixaccount) memberUid: test1 (dynamically set) memberUid: test2 (dynamically set)

my testusers:

dn: uid=test1,ou=test,ou=Users,dc=example,dc=com objectClass: posixAccount objectClass: inetOrgPerson objectClass: shadowAccount objectClass: top cn: test1 gidNumber: 1011 homeDirectory: /home/test1 sn: test1 uid: test1 uidNumber: 1011 userPassword:

dn: uid=test2,ou=test,ou=Users,dc=example,dc=com objectClass: posixAccount objectClass: inetOrgPerson objectClass: shadowAccount objectClass: top cn: test2 gidNumber: 1012 homeDirectory: /home/test2 sn: test2 uid: test2 uidNumber: 1012 userPassword:

some log entries with ACL logging enabled:

Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: search access to "dc=example,dc=com" "entry" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr entry Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (entry) Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "dc=example,dc=com", attr "entry" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to all values by "", (=0) Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: * Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop) Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: search access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: search access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: search access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "objectClass" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr objectClass Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (objectClass) Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "objectClass" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0) Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: * Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop) Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: search access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: search access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: search access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "uid" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr uid Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (uid) Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "uid" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0) Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: * Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop) Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: search access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: search access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "entry" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr entry Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (entry) Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "entry" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to all values by "", (=0) Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: * Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop) Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "objectClass" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr objectClass Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (objectClass) Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "objectClass" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0) Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: * Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop) Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "objectClass" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr objectClass Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (objectClass) Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "objectClass" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0) Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: * Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop) Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "objectClass" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr objectClass Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (objectClass) Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "objectClass" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0) Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: * Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop) Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "objectClass" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr objectClass Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (objectClass) Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "objectClass" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0) Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: * Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop) Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "cn" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr cn Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (cn) Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "cn" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0) Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: * Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop) Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "homeDirectory" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr homeDirectory Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (homeDirectory) Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "homeDirectory" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0) Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: * Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop) Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "userPassword" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [1] attr userPassword Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (userPassword) Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "userPassword" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0) Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: anonymous Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying auth(=xd) (stop) Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: auth(=xd) Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read access denied by auth(=xd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: no more rules Feb 14 16:58:13 openldaphost slapd[8673]: send_search_entry: conn 366 access to attribute userPassword, value #0 not allowed Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "uidNumber" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr uidNumber Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (uidNumber) Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "uidNumber" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0) Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: * Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop) Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "uid" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr uid Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (uid) Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "uid" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0) Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: * Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop) Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "gidNumber" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr gidNumber Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (gidNumber) Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "gidNumber" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0) Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: * Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop) Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access granted by read(=rscxd)