Hi,
iam using one 2.5 Master / Provider / syncprov and some 2.5 Slaves / Consumers / syncrepl. I added the dynlist to generate memberOf attribute to slapd.conf on Master and all Slaves.
Problem is only on some slaves the dynlist doesnt generate memberof attribute output when ldapsearch to a user. Iam using the objectClass labeledURIObject and attribute labeledURI to store the LDAP URI for dynlist to trigger / generate the DN of group membership for memberof attribute of the user. The labeledURI attribute is replicated successfully.
User entry output on non working slaves with attribute labeledURI, memberof is missing:
ldapsearch -x -LLL -ZZ -H ldap://non_working_slave -b 'ou=X,dc=department,dc=organization,dc=X,dc=X' '(&(uid=X))' results in the user entry with all objectClasses and all attributes except the memberof attribute.
#start snip:
...
objectClass: labeledURIObject
...
labeledURI: ldap:///dc=department,dc=organization,dc=X,dc=X??sub?(&(objectClass=groupOfNames)(member=uid=XXXX,ou=account,ou=X,dc=department,dc=organization,dc=X,dc=X))
#stop snip
slapd.conf:
overlay dynlist dynlist-attrset labeledURIObject labeledURI memberOf
The difference between working and non working slaves is the length of ACL list.
The important ACL entry is:
access to dn.sub=dc=department,dc=organization,dc=X,dc=X \ attrs=entry
by peername=IP_subnet read
by * break
access to dn.regex=^[^,]+,ou=(account|group|groupOfNames),ou=X,dc=department,dc=organization,dc=X,dc=X$ by peername=IP_subnet read by * break
i set no attrs= parameter at "access to dn.regex" rule to output all attributes.
cheers,
Andreas
Hi,
meanwhile i fixed the issue and forget to answer.
The slaves which doesnt deliver the dynlist attribute memberof are partial replicated instead of full replicated slaves. So the labeledURI LDAP attribute value ldap:///dc=department,dc=organization,dc=X,dc=X? has to be corrected to the basedn of the partial ldap slave, so ou=xyz,dc=department,dc=organization,.... is correct and working.
cheers,
Andi
Am 02.02.23 um 15:35 schrieb Andreas Ladanyi:
Hi,
iam using one 2.5 Master / Provider / syncprov and some 2.5 Slaves / Consumers / syncrepl. I added the dynlist to generate memberOf attribute to slapd.conf on Master and all Slaves.
Problem is only on some slaves the dynlist doesnt generate memberof attribute output when ldapsearch to a user. Iam using the objectClass labeledURIObject and attribute labeledURI to store the LDAP URI for dynlist to trigger / generate the DN of group membership for memberof attribute of the user. The labeledURI attribute is replicated successfully.
User entry output on non working slaves with attribute labeledURI, memberof is missing:
ldapsearch -x -LLL -ZZ -H ldap://non_working_slave -b 'ou=X,dc=department,dc=organization,dc=X,dc=X' '(&(uid=X))' results in the user entry with all objectClasses and all attributes except the memberof attribute.
#start snip:
...
objectClass: labeledURIObject
...
labeledURI: ldap:///dc=department,dc=organization,dc=X,dc=X??sub?(&(objectClass=groupOfNames)(member=uid=XXXX,ou=account,ou=X,dc=department,dc=organization,dc=X,dc=X))
#stop snip
slapd.conf:
overlay dynlist dynlist-attrset labeledURIObject labeledURI memberOf
The difference between working and non working slaves is the length of ACL list.
The important ACL entry is:
access to dn.sub=dc=department,dc=organization,dc=X,dc=X \ attrs=entry
by peername=IP_subnet read
by * break
access to dn.regex=^[^,]+,ou=(account|group|groupOfNames),ou=X,dc=department,dc=organization,dc=X,dc=X$ by peername=IP_subnet read by * break
i set no attrs= parameter at "access to dn.regex" rule to output all attributes.
cheers,
Andreas
openldap-technical@openldap.org
-
Andreas Ladanyi