Hi,
after upgrade from 2.5.13->2.5.14 i cant get any search result from slapd when filtering for specific memberOf=value. If i downgrade back to slapd 2.5.13 all is working again.
It doesnt work with ldapsearch nor with sssd-ldap modul when filtering entities with a specific memberOf=Value:
ldapsearch -o ldif-wrap=no -LLL -x -ZZ -H ldap://ldap-server -b OUR_BASE_DN '(memberOf=.........)' memberOf uid
ldapsearch shows the entities with memberOf attribute and the memberOf value if i search without a specific memberOf value in the filter:
ldapsearch -o ldif-wrap=no -LLL -x -ZZ -H ldap://ldap-server -b OUR_BASE-DN memberOf
The dynlist config is:
dynlist-attrset labeledURIObject labeledURI memberOf
regards,
Andreas
Hi,
here is a snap of the slapd log of the 2.5.14:
=> mdb_equality_candidates (objectClass) => key_read mdb_idl_fetch_key: [b49d1940] <= mdb_index_read: failed (-30798) <= mdb_equality_candidates: id=0, first=0, last=0 => mdb_equality_candidates (memberOf) => key_read mdb_idl_fetch_key: [f255735b] <= mdb_index_read: failed (-30798) <= mdb_equality_candidates: id=0, first=0, last=0 mdb_search_candidates: id=0 first=0 last=0 mdb_search: no candidates send_ldap_result: conn=1002 op=2 p=3 send_ldap_result: err=0 matched="" text="" send_ldap_response: msgid=3 tag=101 err=0 conn=1002 op=2 SEARCH RESULT tag=101 err=0 qtime=0.000021 etime=0.000468 nentries=0 text= connection_get(16) connection_get(16): got connid=1002 connection_read(16): checking for input on id=1002 op tag 0x42, time 1678793417 ber_get_next on fd 16 failed errno=0 (Success) conn=1002 op=3 do_unbind
On Mon, Mar 13, 2023 at 10:58:12AM +0100, Andreas Ladanyi wrote:
Hi,
after upgrade from 2.5.13->2.5.14 i cant get any search result from slapd when filtering for specific memberOf=value. If i downgrade back to slapd 2.5.13 all is working again.
It doesnt work with ldapsearch nor with sssd-ldap modul when filtering entities with a specific memberOf=Value:
ldapsearch -o ldif-wrap=no -LLL -x -ZZ -H ldap://ldap-server -b OUR_BASE_DN '(memberOf=.........)' memberOf uid
ldapsearch shows the entities with memberOf attribute and the memberOf value if i search without a specific memberOf value in the filter:
ldapsearch -o ldif-wrap=no -LLL -x -ZZ -H ldap://ldap-server -b OUR_BASE-DN memberOf
The dynlist config is:
dynlist-attrset labeledURIObject labeledURI memberOf
Hi Andreas, I'm pretty sure you configured a dynamic list (whose behaviour has been tightened recently) that you're using as a dynamic group. See the slapo-dynlist manpage for an example how we recommend setting this up.
Regards,
Hi,
i changed my config a bit but it doesnt work.
i dont have a dynamic group. Yes i configured a dynamic list. We want to add the memberOf attribute to user entries.
We have static groups with objectclass "groupofnames" which contain the DN of users with attribute "member=uid=name,............"
The user entries contain the attribute labeledURI=ldap:///BASE_DN?entryDN?sub?(&(objectClass=groupOfNames)(member=uid=name,..........))
So the DNs of all the static groupofname groups which a user is a member of should be returned by the dynlist URI expansion.
The dynlist modul should map the entryDNs of the expansion to memberOf and the memberOf attribute should be delivered with the user entry output when ldapsearch:
dynlist-attrset labeledURIObject labeledURI memberOf:entryDN
ldapsearch -H ldap://LDAP_Server -s sub -b BASE_DN '(|(uid=username))' memberOf
ldapsearch with no result.
Am 15.03.23 um 11:33 schrieb Ondřej Kuzník:
On Mon, Mar 13, 2023 at 10:58:12AM +0100, Andreas Ladanyi wrote:
Hi,
after upgrade from 2.5.13->2.5.14 i cant get any search result from slapd when filtering for specific memberOf=value. If i downgrade back to slapd 2.5.13 all is working again.
It doesnt work with ldapsearch nor with sssd-ldap modul when filtering entities with a specific memberOf=Value:
ldapsearch -o ldif-wrap=no -LLL -x -ZZ -H ldap://ldap-server -b OUR_BASE_DN '(memberOf=.........)' memberOf uid
ldapsearch shows the entities with memberOf attribute and the memberOf value if i search without a specific memberOf value in the filter:
ldapsearch -o ldif-wrap=no -LLL -x -ZZ -H ldap://ldap-server -b OUR_BASE-DN memberOf
The dynlist config is:
dynlist-attrset labeledURIObject labeledURI memberOf
Hi Andreas, I'm pretty sure you configured a dynamic list (whose behaviour has been tightened recently) that you're using as a dynamic group. See the slapo-dynlist manpage for an example how we recommend setting this up.
Regards,
On Thu, Mar 16, 2023 at 03:22:25PM +0100, Andreas Ladanyi wrote:
Hi,
i changed my config a bit but it doesnt work.
i dont have a dynamic group. Yes i configured a dynamic list. We want to add the memberOf attribute to user entries.
We have static groups with objectclass "groupofnames" which contain the DN of users with attribute "member=uid=name,............"
The user entries contain the attribute labeledURI=ldap:///BASE_DN?entryDN?sub?(&(objectClass=groupOfNames)(member=uid=name,..........))
So the DNs of all the static groupofname groups which a user is a member of should be returned by the dynlist URI expansion.
The dynlist modul should map the entryDNs of the expansion to memberOf and the memberOf attribute should be delivered with the user entry output when ldapsearch:
dynlist-attrset labeledURIObject labeledURI memberOf:entryDN
ldapsearch -H ldap://LDAP_Server -s sub -b BASE_DN '(|(uid=username))' memberOf
ldapsearch with no result.
Hi, is there a reason you don't just follow what the dynlist manpage says for static groups?
e.g. dynlist-attrset groupOfURLs memberURL member+memberOf@groupOfNames
That way you can get rid of having to set labeledURI on each of the users as well...
Regards,
Am 16.03.23 um 16:36 schrieb Ondřej Kuzník:
On Thu, Mar 16, 2023 at 03:22:25PM +0100, Andreas Ladanyi wrote:
Hi,
i changed my config a bit but it doesnt work.
i dont have a dynamic group. Yes i configured a dynamic list. We want to add the memberOf attribute to user entries.
We have static groups with objectclass "groupofnames" which contain the DN of users with attribute "member=uid=name,............"
The user entries contain the attribute labeledURI=ldap:///BASE_DN?entryDN?sub?(&(objectClass=groupOfNames)(member=uid=name,..........))
So the DNs of all the static groupofname groups which a user is a member of should be returned by the dynlist URI expansion.
The dynlist modul should map the entryDNs of the expansion to memberOf and the memberOf attribute should be delivered with the user entry output when ldapsearch:
dynlist-attrset labeledURIObject labeledURI memberOf:entryDN
ldapsearch -H ldap://LDAP_Server -s sub -b BASE_DN '(|(uid=username))' memberOf
ldapsearch with no result.
Hi,
Hi, is there a reason you don't just follow what the dynlist manpage says for static groups?
e.g. dynlist-attrset groupOfURLs memberURL member+memberOf@groupOfNames
dynlist-attrset labeledURIObject labeledURI memberOf+member@groupOfNames
works
That way you can get rid of having to set labeledURI on each of the users as well...
No, i cant. I tried out. Without labeledURI attribute for each user ldapsearch doesnt result the memberOf attributs of the user entity with this ldapsearch call:
ldapsearch -H ldap://LDAP_Server -s sub -b BASE_DN '(uid=username)' memberOf
The labeledURI attribute is: labeledURI=ldap:///BASE_DN??sub?(&(objectClass=groupOfNames)(member=uid=name,..........))
The attrs part is absent.
Searching to memberOf doesnt work.
ldapsearch -H ldap://LDAP_Server -s sub -b BASE_DN '(memberOf=cn=groupname,ou=groupOfNames,dc=.............)' doesnt result anything.
entryDN is set to "read" for *.
On Fri, Mar 17, 2023 at 09:27:48AM +0100, Andreas Ladanyi KIT wrote:
dynlist-attrset labeledURIObject labeledURI memberOf+member@groupOfNames
My config is set to:
dynlist-attrset groupOfURLs memberURL member+memberOf@groupOfNames
ldapsearch -H ldap://LDAP_Server -s sub -b BASE_DN '(uid=username)' memberOf
I don't have any labeledURI associated with users, and it works fine:
# ldapsearch uid=henson memberOf [...] dn: uid=henson,ou=user,dc=cpp,dc=edu memberOf: uid=idm,ou=group,dc=cpp,dc=edu memberOf: uid=iit,ou=group,dc=cpp,dc=edu
Am 19.03.23 um 04:43 schrieb Paul B. Henson:
On Fri, Mar 17, 2023 at 09:27:48AM +0100, Andreas Ladanyi KIT wrote:
dynlist-attrset labeledURIObject labeledURI memberOf+member@groupOfNames
My config is set to:
dynlist-attrset groupOfURLs memberURL member+memberOf@groupOfNames
ldapsearch -H ldap://LDAP_Server -s sub -b BASE_DN '(uid=username)' memberOf
I don't have any labeledURI associated with users, and it works fine:
# ldapsearch uid=henson memberOf [...] dn: uid=henson,ou=user,dc=cpp,dc=edu memberOf: uid=idm,ou=group,dc=cpp,dc=edu memberOf: uid=iit,ou=group,dc=cpp,dc=edu
Does
ldapsearch memberOf=uid=idm,ou=group,dc=cpp,dc=edu
also work ?
On Mon, Mar 20, 2023 at 10:28:46AM +0100, Andreas Ladanyi wrote:
ldapsearch memberOf=uid=idm,ou=group,dc=cpp,dc=edu
Yes.
$ ldapsearch memberOf=uid=idm,ou=group,dc=cpp,dc=edu # extended LDIF # # LDAPv3 # base <dc=cpp,dc=edu> (default) with scope subtree # filter: memberOf=uid=idm,ou=group,dc=cpp,dc=edu # requesting: ALL #
# henson, user, cpp.edu dn: uid=henson,ou=user,dc=cpp,dc=edu [...]
openldap-technical@openldap.org
-
Andreas Ladanyi -
Andreas Ladanyi KIT
-
Ondřej Kuzník -
Paul B. Henson