Andrew Bartlett wrote:
On Fri, 2008-01-11 at 17:51 +0100, Pierangelo Masarati wrote:
Andrew Bartlett wrote:
I perhaps should have flagged this earlier, but I wanted to actually have the test to prove it.
[snip]
The 'member' attribute on the group is wrong, most likely because such a subtree rename would never cause the memberOf module to fire and notice that this needs updating.
Yes, slapo-memberof(5) does not consider the possibility of a subtree rename, and thus takes no care of it. I believe at the time it was implemented, this was not possible (in back-hdb), or not feasible (given the impossibility to search portions of a DN-valued attribute): slapo-memberof(5) was added to OpenLDAP sources August 2007, but initially implemented for OpenLDAP 2.2.
I think this change should be relatively easy right now, as a DN-valued can be searched with the dnSubtreeMatch rule to detect whether any member/memberOf values need to be modified.
Please submit an ITS...
I've tried to, but I just get:
OpenLDAP The system encountered a fatal error
After command: MAIL FROM: abartlet@samba.org
Received: 451 4.1.8 Domain of sender address abartlet@samba.org does not resolve
Aside from that problem, it appears that by stacking slapo-memberof and slapo-refint you should get the desired effect. I think this needs quite a bit of testing, in case of unexpected cross-effects.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------