HI!
It's easy to change the config of OpenLDAP 2.5 from "overlay memberof" to "overlay dynlist" and it just works. Nice. :-)
But the existing database then still contains the 'memberOf' attribute values.
Ideally one should reload the database. But if anything fails:
Does it do any harm if 'memberOf' attribute values are still present in the database but slapo-dynlist is supposed to compute 'memberOf' attribute values based on recently changed group membership?
At the end I will instruct the admins to reload databases especially to also save space. But it would be less operational stress if I could decouple the config change from the database re-load.
Ciao, Michael.
On 8/31/21 12:14, Michael Ströder wrote:
It's easy to change the config of OpenLDAP 2.5 from "overlay memberof" to "overlay dynlist" and it just works. Nice. :-)
But the existing database then still contains the 'memberOf' attribute values.
Ideally one should reload the database. But if anything fails:
Does it do any harm if 'memberOf' attribute values are still present in the database but slapo-dynlist is supposed to compute 'memberOf' attribute values based on recently changed group membership?
At the end I will instruct the admins to reload databases especially to also save space. But it would be less operational stress if I could decouple the config change from the database re-load.
Hmm, first test (with filter memberOf=<group-dn>) shows that the 'memberOf' attribute values persisted in the database are preferred and thus changed group membership will not be reflected in the dyn-list generated 'memberOf' attribute values.
So one must reload the database right after applying the config change. Otherwise search results will not be as expected.
Ciao, Michael.
Michael Ströder wrote:
HI!
It's easy to change the config of OpenLDAP 2.5 from "overlay memberof" to "overlay dynlist" and it just works. Nice. :-)
But the existing database then still contains the 'memberOf' attribute values.
Ideally one should reload the database. But if anything fails:
Does it do any harm if 'memberOf' attribute values are still present in the database but slapo-dynlist is supposed to compute 'memberOf' attribute values based on recently changed group membership?
Old static values are left untouched. They will be present in search results, and so may go stale over time if not deleted. I suppose dynlist could be changed to just omit any existing static values, but that's not what it does at present.
At the end I will instruct the admins to reload databases especially to also save space. But it would be less operational stress if I could decouple the config change from the database re-load.
Ciao, Michael.
On 8/31/21 12:26, Howard Chu wrote:
Michael Ströder wrote:
It's easy to change the config of OpenLDAP 2.5 from "overlay memberof" to "overlay dynlist" and it just works. Nice. :-)
But the existing database then still contains the 'memberOf' attribute values.
Ideally one should reload the database. But if anything fails:
Does it do any harm if 'memberOf' attribute values are still present in the database but slapo-dynlist is supposed to compute 'memberOf' attribute values based on recently changed group membership?
Old static values are left untouched. They will be present in search results, and so may go stale over time if not deleted. I suppose dynlist could be changed to just omit any existing static values, but that's not what it does at present.
Thanks for the clarification.
Another question in this context:
Will using memberOf attribute in ACLs still work if slapo-dynlist computes the attribute values?
Ciao, Michael.
openldap-technical@openldap.org
-
Howard Chu -
Michael Ströder