Hello Mailinglist,

for some days/weeks now, I try to figure out, how dynlist is meant to be used and how it is to be used.
But it is hard for one to get in the game, who is neither familiar with openLDAP at all. :)

I tried to build the, I guess, popular 'dynamic posixgroups'.
Some older ML posts helped me to build the default structure for the dynlist overlay.
i.e. this one http://www.openldap.org/lists/openldap-technical/200912/msg00005.html
and this http://www.openldap.org/faq/data/cache/1209.html

# getent group
testgroup1:*:1011:test1,test2
testgroup2:*:1012:test1,test2

this looks good to me, as expected.

# id test1
uid=1011(test1) gid=1011(testgroup1) Gruppen=1011(testgroup1)
# id test2
uid=1012(test2) gid=1012(testgroup2) Gruppen=1012(testgroup2)
but this isn't what it is expected to be, too bad its not only a display problem, the permissions of testgroup1 and testgroup2 vice versa are really missing.

# id test1
uid=1011(test1) gid=1011(testgroup1) Gruppen=1011(testgroup1), 1012(testgroup2)
# id test2
uid=1012(test2) gid=1012(testgroup2) Gruppen=1012(testgroup2), 1011(testgroup1)
thats what I wish it would be

If I delete the Attribute labeledURI and set the memberUid for test1 and test2 by hand, everything works as expected, but it would be nice to have it dynamically managed :)

Any help, guide and/or howto is highly appreciated.

Thank you for your time reading this :)

bye, Benjamin.

--------------------------------------------------

my general config:

dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=exa
mple,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to * by dn="cn=admin,dc=example,dc=com" write by * read
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
olcDbIndex: memberUid pres,eq
olcDbIndex: uniquemember pres,eq
olcDbIndex: gidnumber pres,eq
olcDbIndex: uid pres,eq
olcDbIndex: uidnumber pres,eq
olcLastMod: TRUE
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW:
olcSuffix: dc=example,dc=com

dn: olcOverlay={0}dynlist,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
objectClass: olcDynamicList
olcOverlay: {0}dynlist
olcDlAttrSet: {0}posixGroup labeledURI memberUid:uid

dn: olcOverlay={1}ppolicy,olcDatabase={1}hdb,cn=config
objectClass: olcPPolicyConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {1}ppolicy
olcPPolicyDefault: cn=default,ou=Policies,dc=example,dc=com
olcPPolicyHashCleartext: TRUE

my testgroups:

dn: cn=testgroup1,ou=People,ou=Groups,dc=example,dc=com
objectClass: posixGroup
objectClass: top
objectClass: labeledURIObject
cn: testgroup1
gidNumber: 1011
labeledURI: ldap:///ou=test,ou=Users,dc=example,dc=com?uid?sub?(objectClass
=Posixaccount)
memberUid: test1 (dynamically set)
memberUid: test2 (dynamically set)

dn: cn=testgroup2,ou=People,ou=Groups,dc=example,dc=com
objectClass: posixGroup
objectClass: top
objectClass: labeledURIObject
cn: testgroup2
gidNumber: 1012
labeledURI: ldap:///ou=test,ou=Users,dc=example,dc=com?uid?sub?(objectClass
=Posixaccount)
memberUid: test1 (dynamically set)
memberUid: test2 (dynamically set)

my testusers:

dn: uid=test1,ou=test,ou=Users,dc=example,dc=com
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: top
cn: test1
gidNumber: 1011
homeDirectory: /home/test1
sn: test1
uid: test1
uidNumber: 1011
userPassword:

dn: uid=test2,ou=test,ou=Users,dc=example,dc=com
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: top
cn: test2
gidNumber: 1012
homeDirectory: /home/test2
sn: test2
uid: test2
uidNumber: 1012
userPassword:

some log entries with ACL logging enabled:

Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: search access to "dc=example,dc=com" "entry" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr entry
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (entry)
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "dc=example,dc=com", attr "entry" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to all values by "", (=0)
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: *
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop)
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: search access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: search access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: search access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "objectClass" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr objectClass
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (objectClass)
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "objectClass" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0)
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: *
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop)
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: search access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: search access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: search access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "uid" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr uid
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (uid)
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "uid" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0)
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: *
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop)
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: search access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: search access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "entry" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr entry
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (entry)
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "entry" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to all values by "", (=0)
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: *
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop)
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "objectClass" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr objectClass
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (objectClass)
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "objectClass" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0)
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: *
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop)
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "objectClass" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr objectClass
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (objectClass)
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "objectClass" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0)
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: *
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop)
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "objectClass" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr objectClass
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (objectClass)
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "objectClass" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0)
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: *
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop)
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "objectClass" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr objectClass
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (objectClass)
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "objectClass" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0)
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: *
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop)
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "cn" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr cn
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (cn)
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "cn" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0)
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: *
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop)
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "homeDirectory" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr homeDirectory
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (homeDirectory)
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "homeDirectory" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0)
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: *
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop)
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "userPassword" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [1] attr userPassword
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (userPassword)
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "userPassword" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0)
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: anonymous
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying auth(=xd) (stop)
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: auth(=xd)
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read access denied by auth(=xd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: no more rules
Feb 14 16:58:13 openldaphost slapd[8673]: send_search_entry: conn 366 access to attribute userPassword, value #0 not allowed
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "uidNumber" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr uidNumber
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (uidNumber)
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "uidNumber" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0)
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: *
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop)
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "uid" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr uid
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (uid)
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "uid" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0)
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: *
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop)
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "gidNumber" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr gidNumber
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (gidNumber)
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "gidNumber" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0)
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: *
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop)
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access granted by read(=rscxd)

--

Charles de Gaulle - "The better I get to know men, the more I find myself loving dogs."