Hello,
We have to install a product which use ldap and that seems to need memberof overlay. As I have read this overlay is deprecated is cause trouble with replication. So I have dug to found a replacement solution, and what I have found is to add something like that :
In the olcDynamicList
olcDlAttrSet: myPerson labeledURI myMemberOf
And in each user <user> :
labeledURI: ldap:///ou=groups,dc=example,dc=com??sub?(&(objectclass=posixgroup) (memberuid=<user>))
I find this way quite heavy to deal with, adding such attribute to every user (1), but we can do it.
My other problem is that the myMemberOf may be really long to compute at each request (and for stupid historic reason some old programs do qyery on the full user set of atttributes).
So I intend to add a proxycache. But I have a questiion concerning the templates : if I add the following template (myMemberOf=*) will it cache only the requests that are exactly (myMemberOf=XXX) or requests that contains the pattern like (&(Status=xxx)(myMemberOf=yyy)) ?
Thanks.
f.g.
Note 1 : it would be nice that we could define thinks like in a single place : labeledURI: ldap:///ou=groups,dc=example,dc=com??sub?(&(objectclass=posixgroup) (memberuid=%uid%)) where %uid% would be the uid attribute value of the considered object. Or do I miss solething ?
— Frédéric Goudal Ingénieur Système, DSI Bordeaux-INP +33 556 84 23 11
--On Monday, October 17, 2022 4:51 PM +0200 Frédéric Goudal frederic.goudal@bordeaux-inp.fr wrote:
Hello,
We have to install a product which use ldap and that seems to need memberof overlay. As I have read this overlay is deprecated is cause trouble with replication. So I have dug to found a replacement solution, and what I have found is to add something like that :
In the olcDynamicList
olcDlAttrSet: myPerson labeledURI myMemberOf
And in each user <user> :
labeledURI: ldap:///ou=groups,dc=example,dc=com??sub?(&(objectclass=posixgroup) (memberuid=<user>))
It sounds like you're using the older 2.4 based dynlist rather than OpenLDAP 2.5 and later dynlist?
Regards, Quanah
Hello,
Thanks I have found the correct documentation, read it 5 times (well english is not natural for me).
So, If I have only static groups should I use only this :
olcDynListAttrSet: myPerson labeledURI myMemberOf@GroupOfNames
What I don’t understand is that from this sentence in the man page ::
If the optional static-oc objectClass is also specified, then the memberOf attribute will also be populated with the DNs of the static groups that an entry is a member of.
Does it means that the labaledURI attr in my myPerson objects has no use ? Or it should return a list of objects of objectClass GroupOfNames that will be used to build the myMemberOf value (thus allowing to restrict the groups where to search for membership ?
f.g.
Le 17 oct. 2022 à 16:25, Quanah Gibson-Mount quanah@fast-mail.org a écrit :
--On Monday, October 17, 2022 4:51 PM +0200 Frédéric Goudal frederic.goudal@bordeaux-inp.fr wrote:
Hello,
We have to install a product which use ldap and that seems to need memberof overlay. As I have read this overlay is deprecated is cause trouble with replication. So I have dug to found a replacement solution, and what I have found is to add something like that :
In the olcDynamicList
olcDlAttrSet: myPerson labeledURI myMemberOf
And in each user <user> :
labeledURI: ldap:///ou=groups,dc=example,dc=com??sub?(&(objectclass=posixgroup) (memberuid=<user>))
It sounds like you're using the older 2.4 based dynlist rather than OpenLDAP 2.5 and later dynlist?
Regards, Quanah
— Frédéric Goudal Ingénieur Système, DSI Bordeaux-INP +33 556 84 23 11
--On Monday, October 17, 2022 6:07 PM +0200 Frédéric Goudal frederic.goudal@bordeaux-inp.fr wrote:
Hello,
Thanks I have found the correct documentation, read it 5 times (well english is not natural for me).
So, If I have only static groups should I use only this :
olcDynListAttrSet: myPerson labeledURI myMemberOf@GroupOfNames
What I don't understand is that from this sentence in the man page ::
If the optional static-oc objectClass is also specified, then the memberOf attribute will also be populated with the DNs of the static groups that an entry is a member of.
Does it means that the labaledURI attr in my myPerson objects has no use ? Or it should return a list of objects of objectClass GroupOfNames that will be used to build the myMemberOf value (thus allowing to restrict the groups where to search for membership ?
Correct, you should not need to add labeledURI to your users. One point of dynlist rewrite in 2.5 (and later) is to be able to replace the slapo-memberOf overlay with dynamically generated memberships for the users
Regards, Quanah
openldap-technical@openldap.org
-
Frédéric Goudal -
Quanah Gibson-Mount