I am trying to move from memberof(overlay) to dynlist but can't get it to work.
I have static groups with uniqueMembers
cn=somegroup,ou=group,dc=domain,dc=net
uniqueMember: uid=user1,ou=people,dc=domain,dc=net uniqueMember: uid=user2,ou=people,dc=domain,dc=net ...
I want to have:
memberOf: cn=somegroup,ou=group,dc=domain,dc=net
on all users who is member of any group.
In my test i use cn=config style and OpenLDAP 2.6.0 from Symas
In my old ldap server (slapd.conf based) i have
overlay memberof memberof-group-oc groupOfUniqueNames memberof-member-ad uniqueMember memberof-refint true
I have tried this from man slapo-dynlist but I must have done something wrong or not understand how it is supposed to work.
This example extends the dynamic memberOf feature to add the memberOf attribute to all the members of both static and dynamic groups:
include /path/to/dyngroup.schema # ...
database <database> # ...
overlay dynlist dynlist-attrset groupOfURLs memberURL member+memberOf@groupOfNames
This dynamic memberOf feature can fully replace the functionality of the slapo-memberof(5) overlay.
--On Wednesday, December 1, 2021 3:41 PM +0000 Magnus Morén magnus.moren@hh.se wrote:
I am trying to move from memberof(overlay) to dynlist but can't get it to work.
overlay dynlist dynlist-attrset groupOfURLs memberURL member+memberOf@groupOfNames
This dynamic memberOf feature can fully replace the functionality of the slapo-memberof(5) overlay.
Your attribute is "uniqueMember" not member, and your group objectClass is "groupOfUniqueNames" not groupofNames. You need to adjust the dynlist-attrset accordingly.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Thank you for your rapid and helpful answer.
I got it working when waiting for the mail to be approved...
The successful syntax is now:
overlay dynlist dynlist-attrset groupOfURLs memberURL uniqueMember+memberOf@groupOfUniqueNames
Best reagrds ________________________________ Från: Quanah Gibson-Mount quanah@symas.com Skickat: den 1 december 2021 17:48 Till: Magnus Morén magnus.moren@hh.se; openldap-technical@openldap.org openldap-technical@openldap.org Ämne: Re: Move from memberof to dynlist
--On Wednesday, December 1, 2021 3:41 PM +0000 Magnus Morén magnus.moren@hh.se wrote:
I am trying to move from memberof(overlay) to dynlist but can't get it to work.
overlay dynlist dynlist-attrset groupOfURLs memberURL member+memberOf@groupOfNames
This dynamic memberOf feature can fully replace the functionality of the slapo-memberof(5) overlay.
Your attribute is "uniqueMember" not member, and your group objectClass is "groupOfUniqueNames" not groupofNames. You need to adjust the dynlist-attrset accordingly.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
I have now tested dynlist and I have the memberOf working. Good.
I did a "remove user" test...
When I remove a user from the database, the entry is still present in the lists the user was member of.
In memberof(overlay) I used the "memberof-refint true" and this option removed the user from the lists (i think it was this option). Can I get the same behavior with dynlist (ie automatically remove deleted users from all lists) ? ________________________________ Från: Magnus Morén magnus.moren@hh.se Skickat: den 1 december 2021 18:16 Till: openldap-technical@openldap.org openldap-technical@openldap.org; Quanah Gibson-Mount quanah@symas.com Ämne: Sv: Move from memberof to dynlist
Thank you for your rapid and helpful answer.
I got it working when waiting for the mail to be approved...
The successful syntax is now:
overlay dynlist dynlist-attrset groupOfURLs memberURL uniqueMember+memberOf@groupOfUniqueNames
Best reagrds ________________________________ Från: Quanah Gibson-Mount quanah@symas.com Skickat: den 1 december 2021 17:48 Till: Magnus Morén magnus.moren@hh.se; openldap-technical@openldap.org openldap-technical@openldap.org Ämne: Re: Move from memberof to dynlist
--On Wednesday, December 1, 2021 3:41 PM +0000 Magnus Morén magnus.moren@hh.se wrote:
I am trying to move from memberof(overlay) to dynlist but can't get it to work.
overlay dynlist dynlist-attrset groupOfURLs memberURL member+memberOf@groupOfNames
This dynamic memberOf feature can fully replace the functionality of the slapo-memberof(5) overlay.
Your attribute is "uniqueMember" not member, and your group objectClass is "groupOfUniqueNames" not groupofNames. You need to adjust the dynlist-attrset accordingly.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Magnus Morén wrote:
I have now tested dynlist and I have the memberOf working. Good.
I did a "remove user" test...
When I remove a user from the database, the entry is still present in the lists the user was member of.
In memberof(overlay) I used the "memberof-refint true" and this option removed the user from the lists (i think it was this option). Can I get the same behavior with dynlist (ie automatically remove deleted users from all lists) ?
No, dynlist doesn't handle that. Use the refint overlay.
*Från:* Magnus Morén magnus.moren@hh.se *Skickat:* den 1 december 2021 18:16 *Till:* openldap-technical@openldap.org openldap-technical@openldap.org; Quanah Gibson-Mount quanah@symas.com *Ämne:* Sv: Move from memberof to dynlist Thank you for your rapid and helpful answer.
I got it working when waiting for the mail to be approved...
The successful syntax is now:
overlay dynlist dynlist-attrset groupOfURLs memberURL uniqueMember+memberOf@groupOfUniqueNames
Best reagrds
*Från:* Quanah Gibson-Mount quanah@symas.com *Skickat:* den 1 december 2021 17:48 *Till:* Magnus Morén magnus.moren@hh.se; openldap-technical@openldap.org openldap-technical@openldap.org *Ämne:* Re: Move from memberof to dynlist
--On Wednesday, December 1, 2021 3:41 PM +0000 Magnus Morén magnus.moren@hh.se wrote:
I am trying to move from memberof(overlay) to dynlist but can't get it to work.
overlay dynlist dynlist-attrset groupOfURLs memberURL member+memberOf@groupOfNames
This dynamic memberOf feature can fully replace the functionality of the slapo-memberof(5) overlay.
Your attribute is "uniqueMember" not member, and your group objectClass is "groupOfUniqueNames" not groupofNames. You need to adjust the dynlist-attrset accordingly.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--On Wednesday, December 1, 2021 10:35 PM +0000 Magnus Morén magnus.moren@hh.se wrote:
I have now tested dynlist and I have the memberOf working. Good.
I did a "remove user" test...
When I remove a user from the database, the entry is still present in the lists the user was member of.
This would imply that you left the "memberOf" attribute present on the raw entry. That would need to be manually removed.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--On Wednesday, December 1, 2021 9:36 PM -0800 Quanah Gibson-Mount quanah@symas.com wrote:
--On Wednesday, December 1, 2021 10:35 PM +0000 Magnus Morén magnus.moren@hh.se wrote:
I have now tested dynlist and I have the memberOf working. Good.
I did a "remove user" test...
When I remove a user from the database, the entry is still present in the lists the user was member of.
This would imply that you left the "memberOf" attribute present on the raw entry. That would need to be manually removed.
Never mind, I misread the question you were asking.
If you use dynlist to dynamically populate group membership as well as instantiate memberOf, then you would get this behavior. If groups are being statically managed, then you'd have to remove the user from the group as well as deleting its entry, as Howard noted.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Howard Chu -
Magnus Morén -
Quanah Gibson-Mount