Howard, hello.
On 8 Feb 2024, at 15:07, Howard Chu wrote:
Norman Gray wrote:
Howard, hello.
On 8 Feb 2024, at 0:34, Howard Chu wrote:
65c3df21.21fc2a30 0x16cacf000 ldap_url_parse_ext(ldap:///ou=groups,o=example?member?sub?(|(cn=ldap-admins-*)(cn=ldap-techs)))
The above URL is not valid for a dynamic group. The attrs portion of the URL must be empty.
Since it's invalid, after it is parsed it gets ignored.
That's true when constructing what slapo-dynlist(5) calls a dynamic group, but that's not what I'm constructing here, but instead a group entry which is dynamically expanded, to a group, by a search.
Whatever you've constructed is not a dynamic group, as defined in slapo-dynlist. As such, it is not supported for the purpose you're asking.
Indeed -- it's not a 'dynamic group' in the terms of slapo-dynlist, but it is an entry which has a set of 'member' attributes, which is dynamically constructed (whatever one wants to call this).
But I can't see that matters, since the slapd-config(5) text covering the olcLimits configuration attribute seems to clearly indicate that
olcLimits: group/groupOfURLs/member="cn=ldap-operators,ou=groups,o=example" size=2
'sets the limits for any DN listed in the values of the [member] attribute of the [groupOfURLs] group whose DN exactly matches ["cn=ldap-operators,ou=groups,o=example"]' (where [...] fills in the blanks in the text there as I understand it). I can't see a way of interpreting this manpage text which doesn't match this situation. This works as expected when cn=ldap-operators is an entry which is not dynamically expanded.
It doesn't say that that group has to be a 'dynamic group in the terms of slapo-dynlist', it just says 'group'.
And slapo-dynlist says:
Any time an entry with a specific objectClass is being returned, the LDAP URI-valued occurrences of a specific attribute are expanded into the corresponding entries, and the values of the attributes listed in the URI are added to the original entry.
This is exactly what happens when I ldapsearch the directory for this cn=ldap-operators entry, and what does not happen (because slapd logs that it can't find an attribute 'member') when the same group is returned from a search during processing of olcLimits.
The slapo-dynlist text says 'Any time an entry with a specific objectClass is being returned...'. It doesn't say 'returned in response to an external query', it just says 'returned', which I of course take to include returned in response to an internal query such as this one.
Or, stepping back more, how _should_ I dynamically create an entry which olcLimits will respect? I'm quite happy to be told I'm barking up the wrong tree here. Is OpenLDAP simply unable to do this, or is dynlist expansion documented somewhere as happening only in restricted circumstances?
Best wishes,
Norman