Norman Gray wrote:
Howard, hello.
On 7 Feb 2024, at 19:36, Howard Chu wrote:
If I then make a query which has a few results, I do not get this limit imposed, and instead see in the logs
65c3ce83.0f52bea8 0x16e9d3000 => mdb_entry_get: found entry:"cn=ldap-operators,ou=groups,o=example"
65c3ce83.0f533f90 0x16e9d3000 <= mdb_entry_get: failed to find attribute memberAnd those logs are correct, the group entry you specified has no member attribute. What it has is a memberURL attribute, and that's what you should have configured in your olcLimits statement.
Aha. I had taken the description to refer to the synthesised 'member' attributes in the dynamically generated group. Thanks for this.
On changing this, though, to
olcLimits: group/groupOfURLs/memberURL="cn=ldap-operators,ou=groups,o=example" size=2and making a query, I now see in the logs (with -d-1):
65c3df21.21fa70c8 0x16cacf000 ==> limits_get: conn=1000 op=1 self="uid=norman,ou=staff,o=example" this="o=example" 65c3df21.21fa97d8 0x16cacf000 => mdb_entry_get: ndn: "cn=ldap-operators,ou=groups,o=example" 65c3df21.21fab718 0x16cacf000 => mdb_entry_get: oc: "groupOfURLs", at: "memberURL" 65c3df21.21fb1ca8 0x16cacf000 mdb_dn2entry("cn=ldap-operators,ou=groups,o=example") 65c3df21.21fb4b88 0x16cacf000 => mdb_dn2id("cn=ldap-operators,ou=groups,o=example") 65c3df21.21fb8a08 0x16cacf000 <= mdb_dn2id: got id=0x2857 65c3df21.21fbb8e8 0x16cacf000 => mdb_entry_decode: 65c3df21.21fbd440 0x16cacf000 <= mdb_entry_decode 65c3df21.21fbef98 0x16cacf000 => mdb_entry_get: found entry: "cn=ldap-operators,ou=groups,o=example" 65c3df21.21fc0ed8 0x16cacf000 mdb_entry_get: rc=0 65c3df21.21fc2a30 0x16cacf000 ldap_url_parse_ext(ldap:///ou=groups,o=example?member?sub?(|(cn=ldap-admins-*)(cn=ldap-techs)))
The above URL is not valid for a dynamic group. The attrs portion of the URL must be empty.
Since it's invalid, after it is parsed it gets ignored.
There's no mention of 'limits' after this point in the log.