Hi,
I have built my ldap groups with dynlist overlay.
_If i search for a group i can see the members: ldapsearch -Y EXTERNAL -b 'ou=Groups,dc=abc,dc=net' 'cn=ou-is' dn: cn=ou-is,ou=Groups,dc=abc,dc=net objectClass: groupOfURLs objectClass: fhvGroup cn: ou-is memberURL: ldap:///ou=People,dc=abc,dc=net??sub?(fhvIsAISMemberOf=cn=ou-is,ou=Groups,dc=abc,dc=net) member: uid=cb,ou=fhv,ou=People,dc=abc,dc=net
_But if i search for members i only get empty results: ldapsearch -Y EXTERNAL -b 'ou=Groups,dc=abc,dc=net' '(member=uid=cb,ou=fhv,ou=People,dc=abc,dc=net)' cn member
Is this not working with dynamic groups?
And does it make sense to build indexes for dynamic member attributes?
/thx,chris
Hey Christian,
you may want to post your dynlist overlay configuration. :)
Bye.
On Wed, Nov 24, 2010 at 14:50, Christian Bösch boesch@fhv.at wrote:
Hi, I have built my ldap groups with dynlist overlay. _If i search for a group i can see the members: ldapsearch -Y EXTERNAL -b 'ou=Groups,dc=abc,dc=net' 'cn=ou-is' dn: cn=ou-is,ou=Groups,dc=abc,dc=net objectClass: groupOfURLs objectClass: fhvGroup cn: ou-is memberURL: ldap:///ou=People,dc=abc,dc=net??sub?(fhvIsAISMemberOf=cn=ou-is,ou=Groups,dc=abc,dc=net) member: uid=cb,ou=fhv,ou=People,dc=abc,dc=net _But if i search for members i only get empty results: ldapsearch -Y EXTERNAL -b 'ou=Groups,dc=abc,dc=net' '(member=uid=cb,ou=fhv,ou=People,dc=abc,dc=net)' cn member Is this not working with dynamic groups? And does it make sense to build indexes for dynamic member attributes? /thx,chris
sorry...
dn: olcOverlay={2}dynlist objectClass: olcOverlayConfig objectClass: olcDynamicList olcOverlay: {2}dynlist structuralObjectClass: olcDynamicList entryUUID: e9066598-a4df-102e-95f2-55d98beb767a creatorsName: cn=config createTimestamp: 20100203071719Z olcDlAttrSet: {0}groupOfURLs memberURL member olcDlAttrSet: {1}fhvGroup ownerURL owner entryCSN: 20100714081203.144228Z#000000#000#000000 modifiersName: cn=admin,dc=abc,dc=net modifyTimestamp: 20100714081203Z
/chris
On Nov 24, 2010, at 15:09 , Benjamin Griese wrote:
Hey Christian,
you may want to post your dynlist overlay configuration. :)
Bye.
On Wed, Nov 24, 2010 at 14:50, Christian Bösch boesch@fhv.at wrote:
Hi, I have built my ldap groups with dynlist overlay. _If i search for a group i can see the members: ldapsearch -Y EXTERNAL -b 'ou=Groups,dc=abc,dc=net' 'cn=ou-is' dn: cn=ou-is,ou=Groups,dc=abc,dc=net objectClass: groupOfURLs objectClass: fhvGroup cn: ou-is memberURL: ldap:///ou=People,dc=abc,dc=net??sub?(fhvIsAISMemberOf=cn=ou-is,ou=Groups,dc=abc,dc=net) member: uid=cb,ou=fhv,ou=People,dc=abc,dc=net _But if i search for members i only get empty results: ldapsearch -Y EXTERNAL -b 'ou=Groups,dc=abc,dc=net' '(member=uid=cb,ou=fhv,ou=People,dc=abc,dc=net)' cn member Is this not working with dynamic groups? And does it make sense to build indexes for dynamic member attributes? /thx,chris
-- To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To be is to do -- Sartre | Do be do be do -- Sinatra
Hello,
first of all, I am using labeledURI instead of memberURL and I am a little bit confused in what you're doing in your expression:
my straightforward example searches for uid's in a particular OU and assembles them from objects containing the objectClass posixAccount:
objectClass: groupOfURLs (strukturell) objectClass: labeledURIObject (zusätzlich) objectClass: posixGroup (zusätzlich) objectClass: top (abstrakt) cn: somegroup gidNumber: 2003 ldap:///ou=People,dc=example,dc=de?uid?sub?(objectClass=posixAccount)
while the DLattrset of the dynlist overlay remaps it to memberUid:
olcDLAttrSet: {0}posixgroup labeleduri memberuid:uid
This example is quite simple, maybe to simple for your need.
What is it what you're trying to search for based on which criteria.
From my low point of view your search makes no sense. :)
Bye. On Wed, Nov 24, 2010 at 15:16, Christian Bösch boesch@fhv.at wrote:
sorry...
dn: olcOverlay={2}dynlist objectClass: olcOverlayConfig objectClass: olcDynamicList olcOverlay: {2}dynlist structuralObjectClass: olcDynamicList entryUUID: e9066598-a4df-102e-95f2-55d98beb767a creatorsName: cn=config createTimestamp: 20100203071719Z olcDlAttrSet: {0}groupOfURLs memberURL member olcDlAttrSet: {1}fhvGroup ownerURL owner entryCSN: 20100714081203.144228Z#000000#000#000000 modifiersName: cn=admin,dc=abc,dc=net modifyTimestamp: 20100714081203Z
/chris
On Nov 24, 2010, at 15:09 , Benjamin Griese wrote:
Hey Christian,
you may want to post your dynlist overlay configuration. :)
Bye.
On Wed, Nov 24, 2010 at 14:50, Christian Bösch boesch@fhv.at wrote:
Hi, I have built my ldap groups with dynlist overlay. _If i search for a group i can see the members: ldapsearch -Y EXTERNAL -b 'ou=Groups,dc=abc,dc=net' 'cn=ou-is' dn: cn=ou-is,ou=Groups,dc=abc,dc=net objectClass: groupOfURLs objectClass: fhvGroup cn: ou-is memberURL: ldap:///ou=People,dc=abc,dc=net??sub?(fhvIsAISMemberOf=cn=ou-is,ou=Groups,dc=abc,dc=net) member: uid=cb,ou=fhv,ou=People,dc=abc,dc=net _But if i search for members i only get empty results: ldapsearch -Y EXTERNAL -b 'ou=Groups,dc=abc,dc=net' '(member=uid=cb,ou=fhv,ou=People,dc=abc,dc=net)' cn member Is this not working with dynamic groups? And does it make sense to build indexes for dynamic member attributes? /thx,chris
-- To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To be is to do -- Sartre | Do be do be do -- Sinatra
Hi,
I have built my ldap groups with dynlist overlay.
_If i search for a group i can see the members: ldapsearch -Y EXTERNAL -b 'ou=Groups,dc=abc,dc=net' 'cn=ou-is' dn: cn=ou-is,ou=Groups,dc=abc,dc=net objectClass: groupOfURLs objectClass: fhvGroup cn: ou-is memberURL: ldap:///ou=People,dc=abc,dc=net??sub?(fhvIsAISMemberOf=cn=ou-is,ou=Groups,dc=abc,dc=net) member: uid=cb,ou=fhv,ou=People,dc=abc,dc=net
_But if i search for members i only get empty results: ldapsearch -Y EXTERNAL -b 'ou=Groups,dc=abc,dc=net' '(member=uid=cb,ou=fhv,ou=People,dc=abc,dc=net)' cn member
Is this not working with dynamic groups?
Yes, the module is working as intended. From slapo-dynlist(5):
Any time an entry with a specific objectClass is being returned, the LDAP URI-valued occurrences of a specific attribute are expanded into the corresponding entries, and the values of the attributes listed in the URI are added to the original entry.
So the overlay operates on entries *returned* by a search, and thus it has nothing to do with the search filter. At the time of filtering, the dynamic values are not present in the entry, and thus cannot match.
And does it make sense to build indexes for dynamic member attributes?
No, it's pure nonsense.
p.
On Nov 24, 2010, at 16:56 , masarati@aero.polimi.it wrote:
Hi,
I have built my ldap groups with dynlist overlay.
_If i search for a group i can see the members: ldapsearch -Y EXTERNAL -b 'ou=Groups,dc=abc,dc=net' 'cn=ou-is' dn: cn=ou-is,ou=Groups,dc=abc,dc=net objectClass: groupOfURLs objectClass: fhvGroup cn: ou-is memberURL: ldap:///ou=People,dc=abc,dc=net??sub?(fhvIsAISMemberOf=cn=ou-is,ou=Groups,dc=abc,dc=net) member: uid=cb,ou=fhv,ou=People,dc=abc,dc=net
_But if i search for members i only get empty results: ldapsearch -Y EXTERNAL -b 'ou=Groups,dc=abc,dc=net' '(member=uid=cb,ou=fhv,ou=People,dc=abc,dc=net)' cn member
Is this not working with dynamic groups?
Yes, the module is working as intended. From slapo-dynlist(5):
Any time an entry with a specific objectClass is being returned, the LDAP URI-valued occurrences of a specific attribute are expanded into the corresponding entries, and the values of the attributes listed in the URI are added to the original entry.
So the overlay operates on entries *returned* by a search, and thus it has nothing to do with the search filter. At the time of filtering, the dynamic values are not present in the entry, and thus cannot match.
ok, but how can this be solved without to have to maintain the group tree with static members and to have the ability to search for member=.. ? i thought about a proxy cache but this would probably be senseless because a proxytemplate (member=) would result in nothing to cache because of the target server?
/chris
And does it make sense to build indexes for dynamic member attributes?
No, it's pure nonsense.
p.
So the overlay operates on entries *returned* by a search, and thus it has nothing to do with the search filter. At the time of filtering, the dynamic values are not present in the entry, and thus cannot match.
ok, but how can this be solved without to have to maintain the group tree with static members and to have the ability to search for member=.. ?
This can't be solved. There's a blatant contradiction between pretending membership to be dynamic and pretending that indexes are maintained about something that is dynamically generated. Please note that this discussion already took place innumerable times. Please search the list archives (openldap-software and openldap-technical) for further reading.
slapo-dynlist was designed to fulfill a specific requirement, which makes perfectly sense:
- expand URIs into an entry that merges the results of a subsearch - allow to compare on dynamically generated attributes.
The fulfillment of latter requirement allows dynamic groups to perform their main functionality, which consists in allowing to check whether a given DN is member of a given group. It does not allow to find what groups a given DN is member of, but I think the latter is an improper use of LDAP groups.
i thought about a proxy cache but this would probably be senseless because a proxytemplate (member=) would result in nothing to cache because of the target server?
Exactly.
p.
openldap-technical@openldap.org
-
Benjamin Griese -
Christian Bösch -
masarati@aero.polimi.it