Hey Guys, I'm currently looking for a solution for this: In my setup slapo-dynlist is being used (in conjunction with slapo-relay/slapo-rwm but that doesn't matter here i think) to add add memberOf attributes to particular posixGroup objects in my directory dynamically. On the first view that worked great, that is when i try to view these posixGroup objects they have the usernames in their memberOf attributes as expected. However as soon as I try to search for those objects which have a particular value for a memberOf attribute i.e. as soon as i do a search with the memberOf attribute included into the search filter like (&(objectClass=posixGroup)(memberOf=tom2)) I don't get any results any more though matching objects exist. After hours of googling I found out that this is due to the fact that the dynamic attributes are added when an object gets retrieved but are not present when a search operation is trying to access them...
To make clear what I exactly mean, I've got this little example for you: # ldapsearch -xD cn=ldapadmin,dc=uni-bamberg,dc=de -w ldappw -b ou=ubuntu,ou=groups,dc=uni-bamberg,dc=de -LLL '(&(cn=sudo)(memberUid=*))' '*'
...doesn't return any matching objects however leaving the memberUid attribute (which is dynamically added to the object) away from the search filter i get the following:
# ldapsearch -xD cn=ldapadmin,dc=uni-bamberg,dc=de -w ldappw -b ou=ubuntu,ou=groups,dc=uni-bamberg,dc=de -LLL '(cn=sudo)' '*' dn: cn=sudo,ou=ubuntu,ou=groups,dc=uni-bamberg,dc=de gidNumber: 27 objectClass: posixGroup objectClass: top objectClass: labeledURIObject userPassword:: e2NyeXB0fXg= cn: sudo labeledURI: ldap:///ou=students,dc=uni-bamberg,dc=de?uid?one?(&(objectClass=po sixAccount)(description=groups*sudo*)) uid: sdfdfdsf uid: sdsfasfsd uid: asdfasdfasdfasdf uid: tom2 uid: dsafsdfasfsd uid: asdfasdfdfdf
(uid was hidden in my example for reasons of privacy and the 'uid' attributes are rewritten later on into memberUid; I also included the uid attribute into the schema-definition of posixGroup, such that there should be no problems with schemas etc...) my configuration for slapo dynlist is pretty simple:
overlay dynlist dynlist-attrset labeledURIObject labeledURI
This guy here seems to have pretty much the same problem as I have: http://www.mail-archive.com/openldap-software@openldap.org/msg14738.html
So my question is is there any workaround for my problem? I really need to be able to have my users being put to the groups dynamically. Would plugging a caching overlay (such as pcache) in between the output of dynlist and any other processing (such as rewriting using rwm) help to get the dynamically added memberOf attribute searchable?
Thanks in advance! Tom
openldap-technical@openldap.org