Greetings.
I have another puzzle with my OpenLDAP configuration, where I'm not sure if what I'm seeing is unexpected.
Short version: should I expect a group in an olcLimits spec to work when the group is dynamic?
I have a dynamic group set up, using the dynlist overlay, which expands to a set of DNs which should be allowed slightly privileged access to a directory. That group seems to be working OK:
% ldapsearch -x -H ldap://localhost:8389 -b o=example -LLL '(cn=ldap-operators)' dn: cn=ldap-operators,ou=groups,o=example cn: ldap-operators objectClass: groupOfURLs description: Members of all of the LDAP admin and tech groups memberURL: ldap:///ou=groups,o=example?member?sub?(|(cn=ldap-admins-*)(cn=ldap-techs)) member: uid=norman,ou=staff,o=example [...]
One goal here is to remove query limits for this group. I can test that by adding an artificially low limit:
olcLimits: group/groupOfURLs/member="cn=ldap-operators,ou=groups,o=example" size=2
If I then make a query which has a few results, I do not get this limit imposed, and instead see in the logs
65c3ce83.0f52bea8 0x16e9d3000 => mdb_entry_get: found entry: "cn=ldap-operators,ou=groups,o=example" 65c3ce83.0f533f90 0x16e9d3000 <= mdb_entry_get: failed to find attribute member
(If, instead of this, I define an ldap-operators group of class groupOfNames, with the above 'member' included explicitly, and make the corresponding change to the olcLimits line, I get what I expect -- ie, a restricted-size response to the query -- which reassures me I'm not doing something stupid elsewhere.)
The slapo-dynlist(5) page says:
Any time an entry with a specific objectClass is being returned, the LDAP URI-valued occurrences of a specific attribute are expanded into the corresponding entries, and the values of the attributes listed in the URI are added to the original entry.
I note the ‘any time’.
My configuration appears to be working for the ldapsearch lookup; I don't see any text in that manpage that suggests this won't work for the (somehow internal?) lookup being done when processing the olcLimits expression.
The page slapd-config(5) says, under olcLimits:
The term group, with the optional objectClass oc and attributeType at fields, followed by pattern, sets the limits for any DN listed in the values of the at attribute (default member) of the oc group objectClass (default groupOfNames) whose DN exactly matches pattern.
That text doesn't seem to me to exclude this entry lookup from the ‘any time’ in the slapo-dynlist text above.
This is OpenLDAP 2.6.7.
I am of course open to a frame-challenge about the best way of achieving the underlying goal.
Best wishes,
Norman