Thanks for your reply, I try to explain.
Populating memberOf attribiute to users entry working well using this:
*olcDynListAttrSet: {1}inetOrgPerson labeledURI memberOf*
User entry look as follow:
*dn: uid=test1,ou=people,dc=test,dc=comsambaAcctFlags: [U ]sambaPwdLastSet: 9999999999sambaNTPassword: passo: testsambaSID: S-1-5-21-3945181060-1826002392-430723570pwdPolicySubentry: cn=noexpire,ou=ppolicy,dc=test,dc=comcreateTimestamp: 20220529070624.324Zdescription: User accountuserPassword:: passsambaPwdCanChange: 1528009736sambaPwdMustChange: 0mail: test1@test.com test1@test.comloginShell: /bin/bashgivenName: Test1sambaLogonTime: 0sn: Testcn: Test1 TestobjectClass: posixAccountobjectClass: topobjectClass: inetOrgPersonobjectClass: personobjectClass: organizationalPersonobjectClass: sambaSamAccountobjectClass: shadowAccounthomeDirectory: /home/test1pwdChangedTime: 20220529070856.504ZgidNumber: 1002uidNumber: 1002uid: test1structuralObjectClass: inetOrgPersonentryUUID: 348cd83e-7c6a-103c-8612-1918ce7a0bc4creatorsName: cn=admin,dc=test,dc=comlabeledURI: ldap:///ou=groups,dc=test,dc=com??sub?(|(&(objectclass=groupOfUniqueNames)(uniqueMember=uid=test1,ou=people,dc=test,dc=com))(&(objectClass=posixGroup)(memberUid=test1)))entryCSN: 20220609180738.487916Z#000000#001#000000modifiersName: cn=admin,dc=test,dc=commodifyTimestamp: 20220609180738ZmemberOf: cn=devops,ou=groups,dc=test,dc=comentryDN: uid=test1,ou=people,dc=test,dc=comsubschemaSubentry: cn=SubschemahasSubordinates: FALSE*
Static group entry:
*cn=devops,ou=groups,dc=test,dc=comcn: devopsobjectClass: groupOfUniqueNamesobjectClass: topdescription: devops groupuniqueMember: uid=test1,ou=people,dc=test,dc=comuniqueMember: uid=test2,ou=people,dc=test,dc=com*
Next what I want to do is agregate multiple groups to one virtual using this:
*olcDynListAttrSet: {0}groupOfURLs memberURL member*
Then I create appropiate group:
*cn=testluri,ou=groups,dc=test,dc=comcn: testluriobjectClass: topobjectClass: groupOfURLsdescription: test groupmemberURL: ldap:///ou=people,dc=test,dc=com??sub?(memberOf=cn=devops,ou=groups,dc=test,dc=com)*
but this don't add memeber entry to this group. When I changing memberURL as follow:
*memberURL: ldap:///ou=people,dc=test,dc=com??sub?(|(uid=test1)(uid=test2))*
member attribute was added to testluri group:
*cn=testluri,ou=groups,dc=test,dc=comcn: testluriobjectClass: topobjectClass: groupOfURLsdescription: test groupmemberURL: ldap:///ou=people,dc=test,dc=com??sub?(memberOf=cn=devops,ou=groups,dc=test,dc=com)* *member: uid=test1,ou=people,dc=test,dc=com* *member: uid=test2,ou=people,dc=test,dc=com*
but this is not the goal. As I mentioned I want to agregate multiple group to one using memberOf attribute in memberURL:
*memberURL: ldap:///ou=people,dc=test,dc=com??sub?(memberOf=cn=devops,ou=groups,dc=test,dc=com)*
but this not working. What I'm doing wrong?
Reagrds BS
śr., 29 cze 2022 o 19:17 Quanah Gibson-Mount quanah@fast-mail.org napisał(a):
--On Tuesday, June 28, 2022 12:18 PM +0200 Bog Dan bsiara.cgi@gmail.com wrote:
Hi All, I have problem with dynlist overlay, this is my configuration:
olcOverlay={1}dynlist,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcDynListConfig olcOverlay: {1}dynlist olcDynListAttrSet: {0}groupOfURLs memberURL member olcDynListAttrSet: {1}inetOrgPerson labeledURI memberOf
First I create static group:
cn=devops,ou=groups,dc=test,dc=com cn: devops objectClass: groupOfUniqueNames objectClass: top description: devops group uniqueMember: uid=test1,ou=people,dc=test,dc=com uniqueMember: uid=test2,ou=people,dc=test,dc=com
When I create new dynamic group:
cn=testluri,ou=groups,dc=test,dc=com cn: testluri objectClass: top objectClass: groupOfURLs description: test group memberURL: ldap:///ou=people,dc=test,dc=com??sub?(memberOf=cn=devops,ou=groups,dc=te st,dc=com)
I don't get any member of group. Users test1 and test2 already have memberOf attribute:
memberOf: cn=devops,ou=groups,dc=test,dc=com
When I change memberURL to use not dynamic attributes (memberOf):
memberURL:
ldap:///ou=people,dc=test,dc=com??sub?(|(uid=test1)(uid=test2))
users added to testluri group and dynlist works well. What I should do to configure dynlist with memberOf?
I've read your email multiple times, and quite frankly I don't understand what your end goal is.
If your end goal is to have static groups, where memberOf is dynamically populated on the user entries (which is the usual use case for replacing the 2.4 memberOf), then your configs are clearly incorrect.
Can you better explain what your end goal is?
Thanks, Quanah
--On Thursday, June 30, 2022 11:51 AM +0200 Bog Dan bsiara.cgi@gmail.com wrote:
Thanks for your reply, I try to explain.
Populating memberOf attribiute to users entry working well using this:
Have you read through test044 and the various configurations? Your config stil doesn't look correct to me. For example, when testing reverse memberOf lookups, the config in the test is:
olcDynListAttrSet: groupOfURLs memberURL member+memberOf
If adding static groups into the mix, it's:
olcDynListAttrSet: groupOfURLs memberURL member+memberOf@groupOfNames
When doing nested Dynamic groups, it's:
olcDynListAttrSet: groupOfURLs memberURL member+memberOf*
When mixing both, it's:
olcDynListAttrSet: groupOfURLs memberURL member+memberOf@groupOfNames* olcDynListAttrSet: labeledURIObject labeledURI uniqueMember+seeAlso@groupOfUniqueNames
So none of your configuration seems to be really using dynlist as designed. Also, I don't believe you can do what you want in this way:
memberURL: ldap:///ou=people,dc=test,dc=com??sub?(memberOf=cn=devops,ou=groups,dc=test,dc=com)
because memberOf is a virtual attribute.
There are two ways shown in test044 to do nested groups. One is with static group membership, i.e.:
dn: cn=testluri,ou=groups,dc=test,dc=com cn: testluri objectClass: groupOfNames member: cn=devops,ou=groups,dc=test,dc=com
The other is with dynamic group membership, i.e.:
dn: cn=testluri,ou=groups,dc=test,dc=com objectClass: groupOfURLs cn: testluri memberURL: ldap:///ou=groups,dc=test,dc=com??sub?(description=devops group)
Regards, Quanah
openldap-technical@openldap.org
-
Bog Dan -
Quanah Gibson-Mount