I perhaps should have flagged this earlier, but I wanted to actually have the test to prove it.
It appears that subtree renames and the memberOf plugin are not handled correctly. That is:
I create cn=ldaptestuser4,cn=ldaptestcontainer,DC=samba,DC=example,DC=com
I add it to a group:
dn: cn=ldaptestgroup2,cn=users,DC=samba,DC=example,DC=com changetype: modify add: member member: cn=ldaptestuser4,cn=ldaptestcontainer,DC=samba,DC=example,DC=com
Then I rename the container CN=ldaptestcontainer,DC=samba,DC=example,DC=com into CN=ldaptestcontainer2,DC=samba,DC=example,DC=com
However, when I search:
[abartlet@naomi source]$ bin/ldbsearch -H st/dc/private/sam.ldb "cn=ldaptestgroup2" # record 1 dn: CN=ldaptestgroup2,CN=Users,DC=samba,DC=example,DC=com member: cn=ldaptestuser,cn=useRs,dc=samba,dc=example,dc=com member: cn=ldaptestcomputer,cn=computers,dc=samba,dc=example,dc=com member: cn=ldaptestuser2,cn=users,dc=samba,dc=example,dc=com member: cn=ldaptestuser4,cn=ldaptestcontainer,dc=samba,dc=example,dc=com
[abartlet@naomi source]$ bin/ldbsearch -H st/dc/private/sam.ldb "cn=ldaptestuser4" # record 1 dn: CN=ldaptestuser4,CN=ldaptestcontainer2,DC=samba,DC=example,DC=com cn: ldaptestuser4 memberOf: cn=ldaptestgroup2,cn=users,dc=samba,dc=example,dc=com
The 'member' attribute on the group is wrong, most likely because such a subtree rename would never cause the memberOf module to fire and notice that this needs updating.
Andrew Bartlett
Andrew Bartlett wrote:
I perhaps should have flagged this earlier, but I wanted to actually have the test to prove it.
[snip]
The 'member' attribute on the group is wrong, most likely because such a subtree rename would never cause the memberOf module to fire and notice that this needs updating.
Yes, slapo-memberof(5) does not consider the possibility of a subtree rename, and thus takes no care of it. I believe at the time it was implemented, this was not possible (in back-hdb), or not feasible (given the impossibility to search portions of a DN-valued attribute): slapo-memberof(5) was added to OpenLDAP sources August 2007, but initially implemented for OpenLDAP 2.2.
I think this change should be relatively easy right now, as a DN-valued can be searched with the dnSubtreeMatch rule to detect whether any member/memberOf values need to be modified.
Please submit an ITS...
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Pierangelo Masarati wrote:
Andrew Bartlett wrote:
I perhaps should have flagged this earlier, but I wanted to actually have the test to prove it.
[snip]
The 'member' attribute on the group is wrong, most likely because such a subtree rename would never cause the memberOf module to fire and notice that this needs updating.
Yes, slapo-memberof(5) does not consider the possibility of a subtree rename, and thus takes no care of it.
Would deploying slapo-refint be of help here?
Ciao, Michael.
Michael Ströder wrote:
Yes, slapo-memberof(5) does not consider the possibility of a subtree rename, and thus takes no care of it.
Would deploying slapo-refint be of help here?
Could be. Did you try, by chance?
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Pierangelo Masarati wrote:
Michael Ströder wrote:
Yes, slapo-memberof(5) does not consider the possibility of a subtree rename, and thus takes no care of it.
Would deploying slapo-refint be of help here?
Could be. Did you try, by chance?
Hmm, does not work for me. Not sure about current state of HEAD and order of my overlay config. I also wonder about parameter memberof-refint.
Ciao, Michael.
------------------- snip ------------------- Excerpt of slapd.conf:
overlay memberof memberof-refint true
# Referential integrity checking overlay refint refint_attributes member manager owner seeAlso roleOccupant refint_nothing cn=dummy
Michael Ströder wrote:
Pierangelo Masarati wrote:
Michael Ströder wrote:
Yes, slapo-memberof(5) does not consider the possibility of a subtree rename, and thus takes no care of it.
Would deploying slapo-refint be of help here?
Could be. Did you try, by chance?
Hmm, does not work for me. Not sure about current state of HEAD and order of my overlay config. I also wonder about parameter memberof-refint.
And even worse if you remove the member from the group the dangling reference DN in memberOf does not get removed. Even setting
memberof-dangling drop
in slapd.conf doesn't help.
Ciao, Michael.
Michael Ströder wrote:
Pierangelo Masarati wrote:
Michael Ströder wrote:
Yes, slapo-memberof(5) does not consider the possibility of a subtree rename, and thus takes no care of it.
Would deploying slapo-refint be of help here?
Could be. Did you try, by chance?
Hmm, does not work for me. Not sure about current state of HEAD and order of my overlay config. I also wonder about parameter memberof-refint.
Ciao, Michael.
------------------- snip ------------------- Excerpt of slapd.conf:
overlay memberof memberof-refint true
# Referential integrity checking overlay refint refint_attributes member manager owner seeAlso roleOccupant refint_nothing cn=dummy
Probably you should have also listed "memberOf" among the refint attrs; however, that attr is operational, so it might be that slapo-refint does not set the appropriate flags to workaround no-user-mod attrs.
I'll give it a spin as well. In principle, referential integrity should be delegated to slapo-refint, but I fear slapo-memberof will need to reinvent the wheel...
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Pierangelo Masarati wrote:
Michael Ströder wrote:
Pierangelo Masarati wrote:
Michael Ströder wrote:
Yes, slapo-memberof(5) does not consider the possibility of a subtree rename, and thus takes no care of it.
Would deploying slapo-refint be of help here?
Could be. Did you try, by chance?
Hmm, does not work for me. Not sure about current state of HEAD and order of my overlay config. I also wonder about parameter memberof-refint. ------------------- snip ------------------- Excerpt of slapd.conf:
overlay memberof memberof-refint true
# Referential integrity checking overlay refint refint_attributes member manager owner seeAlso roleOccupant refint_nothing cn=dummy
Probably you should have also listed "memberOf" among the refint attrs;
Ouch! It was late yesterday...
Yes, it works as expected with memberOf also being handled by slapo-refint. But now I really wonder how it scales if there are thousands of members in a group which is renamed.
Ciao, Michael.
Michael Ströder wrote:
Ouch! It was late yesterday...
Yes, it works as expected with memberOf also being handled by slapo-refint. But now I really wonder how it scales if there are thousands of members in a group which is renamed.
That's a totally different issue; in any case, I expect subtree renaming being a __very__ exceptional case. If you want it quick, then better slapcat | sed | slapadd :)
Cheers, p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
On Sun, 2008-01-13 at 11:43 +0100, Michael Ströder wrote:
Pierangelo Masarati wrote:
Michael Ströder wrote:
Pierangelo Masarati wrote:
Michael Ströder wrote:
Yes, slapo-memberof(5) does not consider the possibility of a subtree rename, and thus takes no care of it.
Would deploying slapo-refint be of help here?
Could be. Did you try, by chance?
Hmm, does not work for me. Not sure about current state of HEAD and order of my overlay config. I also wonder about parameter memberof-refint. ------------------- snip ------------------- Excerpt of slapd.conf:
overlay memberof memberof-refint true
# Referential integrity checking overlay refint refint_attributes member manager owner seeAlso roleOccupant refint_nothing cn=dummy
Probably you should have also listed "memberOf" among the refint attrs;
Ouch! It was late yesterday...
Yes, it works as expected with memberOf also being handled by slapo-refint. But now I really wonder how it scales if there are thousands of members in a group which is renamed.
I can't seem to make it work for me, with the config file as attached. I'm doing the subtree rename of CN=ldaptestcontainer,DC=samba,DC=example,DC=com to CN=ldaptestcontainer2,DC=samba,DC=example,DC=com
But i still see: # record 55 dn: CN=ldaptestgroup2,CN=Users,DC=samba,DC=example,DC=com member: cn=ldaptestuser,cn=useRs,dc=samba,dc=example,dc=com member: cn=ldaptestcomputer,cn=computers,dc=samba,dc=example,dc=com member: cn=ldaptestuser2,cn=users,dc=samba,dc=example,dc=com *** member: cn=ldaptestuser4,cn=ldaptestcontainer,dc=samba,dc=example,dc=com
slapd.conf and memberof.conf are attached.
Andrew Bartlett
Andrew Bartlett wrote:
overlay memberof memberof-refint true
# Referential integrity checking overlay refint refint_attributes member manager owner seeAlso roleOccupant refint_nothing cn=dummy
Probably you should have also listed "memberOf" among the refint attrs;
Ouch! It was late yesterday...
Yes, it works as expected with memberOf also being handled by slapo-refint. But now I really wonder how it scales if there are thousands of members in a group which is renamed.
I can't seem to make it work for me, with the config file as attached. I'm doing the subtree rename of CN=ldaptestcontainer,DC=samba,DC=example,DC=com to CN=ldaptestcontainer2,DC=samba,DC=example,DC=com
you need to add "memberOf" in the "refint_attributes" list, as indicated above.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
On Tue, 2008-01-15 at 09:43 +0100, Pierangelo Masarati wrote:
Andrew Bartlett wrote:
overlay memberof memberof-refint true
# Referential integrity checking overlay refint refint_attributes member manager owner seeAlso roleOccupant refint_nothing cn=dummy
Probably you should have also listed "memberOf" among the refint attrs;
Ouch! It was late yesterday...
Yes, it works as expected with memberOf also being handled by slapo-refint. But now I really wonder how it scales if there are thousands of members in a group which is renamed.
I can't seem to make it work for me, with the config file as attached. I'm doing the subtree rename of CN=ldaptestcontainer,DC=samba,DC=example,DC=com to CN=ldaptestcontainer2,DC=samba,DC=example,DC=com
you need to add "memberOf" in the "refint_attributes" list, as indicated above.
I've done that, but don't see a difference. Indeed, in this case I was moving the user (pointed at by member), so memberOf would not change (I wanted to see the member attribute update in the group, when I moved the user).
Andrew Bartlett
Andrew Bartlett wrote:
On Tue, 2008-01-15 at 09:43 +0100, Pierangelo Masarati wrote:
you need to add "memberOf" in the "refint_attributes" list, as indicated above.
I've done that, but don't see a difference.
It works for me. Note that the order of the overlay configuration in slapd.conf is significant. From my slapd.conf:
overlay memberof memberof-refint true memberof-dangling drop
# Referential integrity checking overlay refint refint_attributes member memberOf manager owner seeAlso roleOccupant refint_nothing cn=dummy
Ciao, Michael.
On Fri, 2008-01-11 at 17:51 +0100, Pierangelo Masarati wrote:
Andrew Bartlett wrote:
I perhaps should have flagged this earlier, but I wanted to actually have the test to prove it.
[snip]
The 'member' attribute on the group is wrong, most likely because such a subtree rename would never cause the memberOf module to fire and notice that this needs updating.
Yes, slapo-memberof(5) does not consider the possibility of a subtree rename, and thus takes no care of it. I believe at the time it was implemented, this was not possible (in back-hdb), or not feasible (given the impossibility to search portions of a DN-valued attribute): slapo-memberof(5) was added to OpenLDAP sources August 2007, but initially implemented for OpenLDAP 2.2.
I think this change should be relatively easy right now, as a DN-valued can be searched with the dnSubtreeMatch rule to detect whether any member/memberOf values need to be modified.
Please submit an ITS...
I've tried to, but I just get:
OpenLDAP The system encountered a fatal error
After command: MAIL FROM: abartlet@samba.org
Received: 451 4.1.8 Domain of sender address abartlet@samba.org does not resolve
Andrew Bartlett
Andrew Bartlett wrote:
On Fri, 2008-01-11 at 17:51 +0100, Pierangelo Masarati wrote:
Andrew Bartlett wrote:
I perhaps should have flagged this earlier, but I wanted to actually have the test to prove it.
[snip]
The 'member' attribute on the group is wrong, most likely because such a subtree rename would never cause the memberOf module to fire and notice that this needs updating.
Yes, slapo-memberof(5) does not consider the possibility of a subtree rename, and thus takes no care of it. I believe at the time it was implemented, this was not possible (in back-hdb), or not feasible (given the impossibility to search portions of a DN-valued attribute): slapo-memberof(5) was added to OpenLDAP sources August 2007, but initially implemented for OpenLDAP 2.2.
I think this change should be relatively easy right now, as a DN-valued can be searched with the dnSubtreeMatch rule to detect whether any member/memberOf values need to be modified.
Please submit an ITS...
I've tried to, but I just get:
OpenLDAP The system encountered a fatal error
After command: MAIL FROM: abartlet@samba.org
Received: 451 4.1.8 Domain of sender address abartlet@samba.org does not resolve
Aside from that problem, it appears that by stacking slapo-memberof and slapo-refint you should get the desired effect. I think this needs quite a bit of testing, in case of unexpected cross-effects.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
openldap-technical@openldap.org
-
Andrew Bartlett -
Michael Ströder -
Pierangelo Masarati