Norman Gray wrote:
Greetings.
I have another puzzle with my OpenLDAP configuration, where I'm not sure if what I'm seeing is unexpected.
Short version: should I expect a group in an olcLimits spec to work when the group is dynamic?
Yes.
I have a dynamic group set up, using the dynlist overlay, which expands to a set of DNs which should be allowed slightly privileged access to a directory. That group seems to be working OK:
% ldapsearch -x -H ldap://localhost:8389 -b o=example -LLL '(cn=ldap-operators)' dn: cn=ldap-operators,ou=groups,o=example cn: ldap-operators objectClass: groupOfURLs description: Members of all of the LDAP admin and tech groups memberURL: ldap:///ou=groups,o=example?member?sub?(|(cn=ldap-admins-*)(cn=ldap-techs)) member: uid=norman,ou=staff,o=example [...]One goal here is to remove query limits for this group. I can test that by adding an artificially low limit:
olcLimits: group/groupOfURLs/member="cn=ldap-operators,ou=groups,o=example" size=2If I then make a query which has a few results, I do not get this limit imposed, and instead see in the logs
65c3ce83.0f52bea8 0x16e9d3000 => mdb_entry_get: found entry: "cn=ldap-operators,ou=groups,o=example" 65c3ce83.0f533f90 0x16e9d3000 <= mdb_entry_get: failed to find attribute member
And those logs are correct, the group entry you specified has no member attribute. What it has is a memberURL attribute, and that's what you should have configured in your olcLimits statement.