Hi,
short question first: Is overlay memberOf supposed to work with glued databases in any direction?
I tried with 2.4.28 and get the following results:
slapd.conf with two databases
1. step ------- This is simple. MemberOf overlay only in one database ou=groups,ou=foo,ou=bar (subordinated).
database hbd suffix ou=groups,ou=foo,ou=bar subordinate ... overlay memberof memberof-group-ac groupOfNames memberof-member-ad member memberof-memberof-ad memberof
database bdb suffix ou=bar ...
- created one inetOrgPerson object employeenumber=11,ou=groups,ou=foo,ou=bar - created one group ou=2,ou=groups,ou=foo,ou=bar with member: employeenumber=11,ou=groups,ou=foo,ou=bar => memberOf in employeenumber=11,ou=groups,ou=foo,ou=bar is set and unset just fine.
=> no modifications in superior database ou=bar
2. step ------- overlay loaded in both databases
database hbd suffix ou=groups,ou=foo,ou=bar subordinate ... overlay memberof memberof-group-ac groupOfNames memberof-member-ad member memberof-memberof-ad memberof
database bdb suffix ou=bar ... overlay memberof memberof-group-ac groupOfNames memberof-member-ad member memberof-memberof-ad memberof
=> modification in the subordinated database work in 1. step.
- created one inetOrgPerson object employeenumber=1,ou=bar - created one group ou=1,ou=bar with member: employeenumber=1,ou=bar => memberOf in employeenumber=1,ou=bar is set and unset just fine. memberOf is working in the superior database.
- setting group ou=1,ou=bar member: employeenumber=11,ou=groups,ou=foo,ou=bar => memberOf in employeenumber=11,ou=groups,ou=foo,ou=bar is set and unset just fine. Changes in groups of superior databases work in subordinate databases!
- setting group ou=2,ou=groups,ou=foo,ou=bar member: employeenumber=1,ou=bar => does _not_ work: memberof_value_modify DN="employeenumber=1,ou=bar" add memberOf ="ou=2,ou=groups,ou=foo,ou=bar" failed err=32 Changes in groups of subordinated databases do not work in the superior database!
3. step ------- setting "overlay glue" explicitly and removing overlay memberof from the subordinate database:
database hbd suffix ou=groups,ou=foo,ou=bar subordinate ...
database bdb suffix ou=bar ... overlay memberof memberof-group-ac groupOfNames memberof-member-ad member memberof-memberof-ad memberof
overlay glue
=> changes in the subordinated database are _not_ managed by the overlay. => changes in groups of superior databases work in subordinate databases and in the superior database!
3. step II ---------- if glue is located in slapd.conf before memberof (which is IMHO wrong) and MOD on member in a group in the subordinated database is send, slapd segfaults!
4. step ------- setting "overlay glue" explicitly and overlay memberof in both databases:
database hbd suffix ou=groups,ou=foo,ou=bar subordinate ... overlay memberof memberof-group-ac groupOfNames memberof-member-ad member memberof-memberof-ad memberof
database bdb suffix ou=bar ... overlay memberof memberof-group-ac groupOfNames memberof-member-ad member memberof-memberof-ad memberof
overlay glue
=> like 2. step
So the best I get is - memberOf works in the database, where it is set - memberOf works for group changes in superior database on members in subordinated databases - memberOf does not work for group changes in subordinated databases to members in superior databases.
Is this the way it is supposed to work?
What I really wanted to achieve is to get memerOf to work between database (under glue) of the same level. (Like ou=1,ou=foo and ou=2,ou=foo both subordinated of ou=foo.) But while my testings above did not succeed, it did not tried.
Marc
Hi,
Marc Patermann schrieb (16.01.2012 17:44 Uhr):
short question first: Is overlay memberOf supposed to work with glued databases in any direction?
Hm, nobody?
Did I make a configuration error? Is it a bug? Is it worth a feature request? Will it never work that way?
Marc
Marc Patermann wrote:
Hi,
Marc Patermann schrieb (16.01.2012 17:44 Uhr):
short question first: Is overlay memberOf supposed to work with glued databases in any direction?
Hm, nobody?
Did I make a configuration error? Is it a bug? Is it worth a feature request? Will it never work that way?
Dunno. IMO most people using memberOf are misusing the data model anyway, so it's of little interest.
Howard,
Howard Chu schrieb (19.01.2012 18:14 Uhr):
Marc Patermann wrote:
Marc Patermann schrieb (16.01.2012 17:44 Uhr):
short question first: Is overlay memberOf supposed to work with glued databases in any direction?
Hm, nobody?
Did I make a configuration error? Is it a bug? Is it worth a feature request? Will it never work that way?
Dunno. IMO most people using memberOf are misusing the data model anyway, so it's of little interest.
I would really appreciate, if you could take a look in my first mail about this and tell, if it is something that could work that way.
Marc
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hello,
On 19-01-2012 15:14, Howard Chu wrote:
Dunno. IMO most people using memberOf are misusing the data model anyway, so it's of little interest.
Out of curiosity (and because I do try to avoid misusing the data model), why in your opinion memberOf represents a misuse?
Kind regards, - -- Felipe Augusto van de Wiel felipe.wiel@hpp.org.br Tecnologia da Informação (TI) - Complexo Pequeno Príncipe http://www.pequenoprincipe.org.br/ T: +55 41 3310 1747
Felipe Augusto van de Wiel wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hello,
On 19-01-2012 15:14, Howard Chu wrote:
Dunno. IMO most people using memberOf are misusing the data model anyway, so it's of little interest.
Out of curiosity (and because I do try to avoid misusing the data model), why in your opinion memberOf represents a misuse?
There are two common operations on a group: list all the members, and see if user X is a member of a group. For the first case, just retrieve the group entry and look at its member attribute. For the second case, just do a Compare on the group and test the member attribute against the user's DN.
Kind regards,
Felipe Augusto van de Wielfelipe.wiel@hpp.org.br Tecnologia da Informação (TI) - Complexo Pequeno Príncipe http://www.pequenoprincipe.org.br/ T: +55 41 3310 1747 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBCgAGBQJPGHjGAAoJECCPPxLgxLxPx0kP/A1vueiP4471kk8YrAv72wsQ 6L+++LZTPcNCkxBGbQK/cUnncV0S/h6wkSbHFMiZO1pfx8QWUITgw3L1hPSBxnGA stWvcrIf9MeoigqzQuPgDbQ/TppganSA0cGyGEM0a5H0+GxhqbwLMFa3MGw49DOD FElsd1muDo/uKKgAlGU27zNs9Oysi3ICw5CBIp9bLGcrKX0xpq3hjP4wyS0/hDRu euLFr+F7EYdvOQ16rzB3CQv6UWmDvYg76Km8VuzG+UEnR4DcNiAbNKR6Fm22kv/w O2ifUXdOnVLugiHekRF2VXYzYO3XNxg7wqORObhePRAsnobjE9p/lXEt+c7Pf938 WJBcHAa3NUS7JKQIK3TEC/iAfx+3/BHvDYXyoa57YK4MOdbv1GCgZLD8mTKSyATo r/CdxrfoVv8YI6D+Lo4x+0dGjwbXBeIP1ArWT4li23c8TTMi7H6NYPbRCBc0LvaQ 22ifiDfE9TxhonXwMgbG5ONybrWeX9/Os//ofJXqWY2qXP4p3H0ceALDBmAI6LpP NEvaGh1OA2hDEUq+XpFg9TJDN9+WXlZ3tz135H1WUHXyik8xzHZOSSFFWd/LhIcI 3pyo5T+0xjf+3dA4Gn31iGp8CxakTkkJpdeUiZ2mHwHHgTDU72y5p6DudycRq5uK 3cldhqzDAktL1JA1AIHK =gFGM -----END PGP SIGNATURE-----
Le 20.01.2012 00:45, Howard Chu a écrit :
Felipe Augusto van de Wiel wrote:
Hello,
Hi
On 19-01-2012 15:14, Howard Chu wrote:
Dunno. IMO most people using memberOf are misusing the data model anyway, so it's of little interest.
Out of curiosity (and because I do try to avoid misusing the data model), why in your opinion memberOf represents a misuse?
There are two common operations on a group: list all the members, and see if user X is a member of a group. For the first case, just retrieve the group entry and look at its member attribute. For the second case, just do a Compare on the group and test the member attribute against the user's DN.
I could see a 3rd use case : User management. When you administer the profile of a user, you simply query the LDAP entry of the user and you get all of his information, including the complete list of his groups (with a single LDAP request).
That's a use case, and I recon that it can be achieved by performing one more LDAP request to lookup for group membership of this particular user.
Sincerely, Mathieu.
Kind regards,
Felipe Augusto van de Wielfelipe.wiel@hpp.org.br Tecnologia da Informação (TI) - Complexo Pequeno Príncipe http://www.pequenoprincipe.org.br/ T: +55 41 3310 1747
Howard Chu wrote:
There are two common operations on a group: list all the members, and see if user X is a member of a group. For the first case, just retrieve the group entry and look at its member attribute. For the second case, just do a Compare on the group and test the member attribute against the user's DN.
A 3rd case is to search all the members of a group and retrieve the members' other attributes (like 'mail') in one search request.
Ciao, Michael.
On 01/20/2012 06:49 AM, Mathieu MILLET wrote:
Le 20.01.2012 00:45, Howard Chu a écrit :
Felipe Augusto van de Wiel wrote:
Hello,
Hi
On 19-01-2012 15:14, Howard Chu wrote:
Dunno. IMO most people using memberOf are misusing the data model anyway, so it's of little interest.
Out of curiosity (and because I do try to avoid misusing the data model), why in your opinion memberOf represents a misuse?
There are two common operations on a group: list all the members, and see if user X is a member of a group. For the first case, just retrieve the group entry and look at its member attribute. For the second case, just do a Compare on the group and test the member attribute against the user's DN.
I could see a 3rd use case : User management. When you administer the profile of a user, you simply query the LDAP entry of the user and you get all of his information, including the complete list of his groups (with a single LDAP request).
That's a use case, and I recon that it can be achieved by performing one more LDAP request to lookup for group membership of this particular user.
base: <suffix> scope: subordinate filter: (&(ou=groupOfNames)(member=<dn>)) attrs: 1.1
does the trick.
Pierangelo Masarati wrote:
On 01/20/2012 06:49 AM, Mathieu MILLET wrote:
I could see a 3rd use case : User management. When you administer the profile of a user, you simply query the LDAP entry of the user and you get all of his information, including the complete list of his groups (with a single LDAP request).
That's a use case, and I recon that it can be achieved by performing one more LDAP request to lookup for group membership of this particular user.
base: <suffix> scope: subordinate filter: (&(ou=groupOfNames)(member=<dn>))
Shouldn't this be (&(objectClass=groupOfNames)(member=<dn>))?
Ciao, Michael.
On 01/20/2012 12:19 PM, Michael Ströder wrote:
Pierangelo Masarati wrote:
On 01/20/2012 06:49 AM, Mathieu MILLET wrote:
I could see a 3rd use case : User management. When you administer the profile of a user, you simply query the LDAP entry of the user and you get all of his information, including the complete list of his groups (with a single LDAP request).
That's a use case, and I recon that it can be achieved by performing one more LDAP request to lookup for group membership of this particular user.
base: <suffix> scope: subordinate filter: (&(ou=groupOfNames)(member=<dn>))
Shouldn't this be (&(objectClass=groupOfNames)(member=<dn>))?
Yes, thanks.
p.
-- Pierangelo Masarati Associate Professor Dipartimento di Ingegneria Aerospaziale Politecnico di Milano
Hello Howard,
There are two common operations on a group: list all the members, and see if user X is a member of a group. For the first case, just retrieve the group entry and look at its member attribute. For the second case, just do a Compare on the group and test the member attribute against the user's DN.
Ok, but :
Let say that I want to grant access to an application only for users of a specific group : what would be the filter to use ?
Anonther way to ask that is : what is the trick to retrieve posixAccount (or inetOrgPerson) objects that are member of a specific posixgroup (or groupofnames) ?
Aka : if posixgroup gogo is like this
# gogo, group, toto.fr dn: cn=gogo,ou=group,dc=toto,dc=fr objectClass: posixGroup gidNumber: 17000 cn: gogo memberUid: gui memberUid: lev
What is the filter to retreive exactly this :
# gui, staff, people, toto.fr dn: uid=gui,ou=staff,ou=people,dc=gui,dc=fr cn: gui lou givenName: Gui homeDirectory: /home/gui loginShell: /bin/tcsh objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount sn: Gui uid: gui uidNumber: 1041 userPassword:: e1AZE4N1k= gidNumber: 18004
# lev, staff, people, toto.fr dn: uid=lev,ou=staff,ou=people,dc=toto,dc=fr cn:Lev Luv givenName: Lev homeDirectory: /home/lev loginShell: /bin/bash objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount sn: Lev uid: lev uidNumber: 1041 userPassword:: eFjQVNCZEZzN1k= gidNumber: 18004
2012/1/20 Howard Chu hyc@symas.com:
Felipe Augusto van de Wiel wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hello,
On 19-01-2012 15:14, Howard Chu wrote:
Dunno. IMO most people using memberOf are misusing the data model anyway, so it's of little interest.
Out of curiosity (and because I do try to avoid misusing the data model), why in your opinion memberOf represents a misuse?
There are two common operations on a group: list all the members, and see if user X is a member of a group. For the first case, just retrieve the group entry and look at its member attribute. For the second case, just do a Compare on the group and test the member attribute against the user's DN.
Kind regards,
Felipe Augusto van de Wielfelipe.wiel@hpp.org.br Tecnologia da Informação (TI) - Complexo Pequeno Príncipe http://www.pequenoprincipe.org.br/ T: +55 41 3310 1747 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBCgAGBQJPGHjGAAoJECCPPxLgxLxPx0kP/A1vueiP4471kk8YrAv72wsQ 6L+++LZTPcNCkxBGbQK/cUnncV0S/h6wkSbHFMiZO1pfx8QWUITgw3L1hPSBxnGA stWvcrIf9MeoigqzQuPgDbQ/TppganSA0cGyGEM0a5H0+GxhqbwLMFa3MGw49DOD FElsd1muDo/uKKgAlGU27zNs9Oysi3ICw5CBIp9bLGcrKX0xpq3hjP4wyS0/hDRu euLFr+F7EYdvOQ16rzB3CQv6UWmDvYg76Km8VuzG+UEnR4DcNiAbNKR6Fm22kv/w O2ifUXdOnVLugiHekRF2VXYzYO3XNxg7wqORObhePRAsnobjE9p/lXEt+c7Pf938 WJBcHAa3NUS7JKQIK3TEC/iAfx+3/BHvDYXyoa57YK4MOdbv1GCgZLD8mTKSyATo r/CdxrfoVv8YI6D+Lo4x+0dGjwbXBeIP1ArWT4li23c8TTMi7H6NYPbRCBc0LvaQ 22ifiDfE9TxhonXwMgbG5ONybrWeX9/Os//ofJXqWY2qXP4p3H0ceALDBmAI6LpP NEvaGh1OA2hDEUq+XpFg9TJDN9+WXlZ3tz135H1WUHXyik8xzHZOSSFFWd/LhIcI 3pyo5T+0xjf+3dA4Gn31iGp8CxakTkkJpdeUiZ2mHwHHgTDU72y5p6DudycRq5uK 3cldhqzDAktL1JA1AIHK =gFGM -----END PGP SIGNATURE-----
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Olivier wrote:
Hello Howard,
There are two common operations on a group: list all the members, and see if user X is a member of a group. For the first case, just retrieve the group entry and look at its member attribute. For the second case, just do a Compare on the group and test the member attribute against the user's DN.
Ok, but :
Let say that I want to grant access to an application only for users of a specific group : what would be the filter to use ?
There is no filter. You simply set a slapd ACL granting access to the group. Read the slapd.access(5) manpage, or the Admin Guide, or the FAQ.
Anonther way to ask that is : what is the trick to retrieve posixAccount (or inetOrgPerson) objects that are member of a specific posixgroup (or groupofnames) ?
I don't see why any application needs to do this.
Aka : if posixgroup gogo is like this
# gogo, group, toto.fr dn: cn=gogo,ou=group,dc=toto,dc=fr objectClass: posixGroup gidNumber: 17000 cn: gogo memberUid: gui memberUid: lev
What is the filter to retreive exactly this :
# gui, staff, people, toto.fr dn: uid=gui,ou=staff,ou=people,dc=gui,dc=fr cn: gui lou givenName: Gui homeDirectory: /home/gui loginShell: /bin/tcsh objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount sn: Gui uid: gui uidNumber: 1041 userPassword:: e1AZE4N1k= gidNumber: 18004
# lev, staff, people, toto.fr dn: uid=lev,ou=staff,ou=people,dc=toto,dc=fr cn:Lev Luv givenName: Lev homeDirectory: /home/lev loginShell: /bin/bash objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount sn: Lev uid: lev uidNumber: 1041 userPassword:: eFjQVNCZEZzN1k= gidNumber: 18004
2012/1/20 Howard Chuhyc@symas.com:
Felipe Augusto van de Wiel wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hello,
On 19-01-2012 15:14, Howard Chu wrote:
Dunno. IMO most people using memberOf are misusing the data model anyway, so it's of little interest.
Out of curiosity (and because I do try to avoid misusing the data model), why in your opinion memberOf represents a misuse?
There are two common operations on a group: list all the members, and see if user X is a member of a group. For the first case, just retrieve the group entry and look at its member attribute. For the second case, just do a Compare on the group and test the member attribute against the user's DN.
Envoyé de mon iPhone.
Le 1 mars 2012 à 18:47, Howard Chu hyc@symas.com a écrit :
Olivier wrote:
Hello Howard,
There are two common operations on a group: list all the members, and see if user X is a member of a group. For the first case, just retrieve the group entry and look at its member attribute. For the second case, just do a Compare on the group and test the member attribute against the user's DN.
Ok, but :
Let say that I want to grant access to an application only for users of a specific group : what would be the filter to use ?
There is no filter. You simply set a slapd ACL granting access to the group. Read the slapd.access(5) manpage, or the Admin Guide, or the FAQ.
Anonther way to ask that is : what is the trick to retrieve posixAccount (or inetOrgPerson) objects that are member of a specific posixgroup (or groupofnames) ?
I don't see why any application needs to do this.
This should be very useful for a mailing list software
Aka : if posixgroup gogo is like this
# gogo, group, toto.fr dn: cn=gogo,ou=group,dc=toto,dc=fr objectClass: posixGroup gidNumber: 17000 cn: gogo memberUid: gui memberUid: lev
What is the filter to retreive exactly this :
# gui, staff, people, toto.fr dn: uid=gui,ou=staff,ou=people,dc=gui,dc=fr cn: gui lou givenName: Gui homeDirectory: /home/gui loginShell: /bin/tcsh objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount sn: Gui uid: gui uidNumber: 1041 userPassword:: e1AZE4N1k= gidNumber: 18004
# lev, staff, people, toto.fr dn: uid=lev,ou=staff,ou=people,dc=toto,dc=fr cn:Lev Luv givenName: Lev homeDirectory: /home/lev loginShell: /bin/bash objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount sn: Lev uid: lev uidNumber: 1041 userPassword:: eFjQVNCZEZzN1k= gidNumber: 18004
2012/1/20 Howard Chuhyc@symas.com:
Felipe Augusto van de Wiel wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hello,
On 19-01-2012 15:14, Howard Chu wrote:
Dunno. IMO most people using memberOf are misusing the data model anyway, so it's of little interest.
Out of curiosity (and because I do try to avoid misusing the data model), why in your opinion memberOf represents a misuse?
There are two common operations on a group: list all the members, and see if user X is a member of a group. For the first case, just retrieve the group entry and look at its member attribute. For the second case, just do a Compare on the group and test the member attribute against the user's DN.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
--On Thursday, March 01, 2012 7:25 PM +0100 Frank Bonnet f.bonnet@esiee.fr wrote:
her way to ask that is : what is the trick to retrieve
posixAccount (or inetOrgPerson) objects that are member of a specific posixgroup (or groupofnames) ?
I don't see why any application needs to do this.
This should be very useful for a mailing list software
Postfix has built in handling of group membership expansion -- I.e., it is done on the client side, not the server side. I.e., not a slapd thing.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
On 03/01/2012 07:45 PM, Quanah Gibson-Mount wrote:
--On Thursday, March 01, 2012 7:25 PM +0100 Frank Bonnet f.bonnet@esiee.fr wrote:
her way to ask that is : what is the trick to retrieve
posixAccount (or inetOrgPerson) objects that are member of a specific posixgroup (or groupofnames) ?
I don't see why any application needs to do this.
This should be very useful for a mailing list software
Postfix has built in handling of group membership expansion -- I.e., it is done on the client side, not the server side. I.e., not a slapd thing.
--Quanah
OK thanks for the info :-)
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc.
Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org