Howard, hello.
On 8 Feb 2024, at 16:22, Howard Chu wrote:
And slapo-dynlist says:
Any time an entry with a specific objectClass is being returned, the LDAP URI-valued occurrences of a specific attribute are expanded into the corresponding entries, and the values of the attributes listed in the URI are added to the original entry.
The text above is for a *dynamic list* - which is not a *dynamic group*.
Sure -- no dispute about that.
But we're talking about olcLimits.
The documentation for olcLimits includes the words
the oc group objectClass (default groupOfNames) whose DN exactly matches pattern.
That doesn't say anything about restricting these to 'dynamic groups' (in slapo-dynlist terminology). Those words seem to cover any entry of the designated objectClass which has the designated DN.
The olcLimits declaration I quoted works one way when the entry with the given DN is a static/normal/explicit group, and works a different way when an entry with the same DN and the _same_ set of 'member' attributes is produced on expansion by dynlist. The documentation of olcLimits doesn't suggest that's deliberate.
Again, if OpenLDAP/dynlist is incapable of generating this entry, then that's fine -- I'll bodge some different way of getting what I need.
Best wishes,
Norman