3:14 a.m.
HI!
It's easy to change the config of OpenLDAP 2.5 from "overlay memberof"
to "overlay dynlist" and it just works. Nice. :-)
But the existing database then still contains the 'memberOf' attribute
values.
Ideally one should reload the database. But if anything fails:
Does it do any harm if 'memberOf' attribute values are still present in
the database but slapo-dynlist is supposed to compute 'memberOf'
attribute values based on recently changed group membership?
At the end I will instruct the admins to reload databases especially to
also save space. But it would be less operational stress if I could
decouple the config change from the database re-load.
Ciao, Michael.
3:22 a.m.
On 8/31/21 12:14, Michael Ströder wrote:
It's easy to change the config of OpenLDAP 2.5 from "overlay
memberof"
to "overlay dynlist" and it just works. Nice. :-)
But the existing database then still contains the 'memberOf' attribute
values.
Ideally one should reload the database. But if anything fails:
Does it do any harm if 'memberOf' attribute values are still present in
the database but slapo-dynlist is supposed to compute 'memberOf'
attribute values based on recently changed group membership?
At the end I will instruct the admins to reload databases especially to
also save space. But it would be less operational stress if I could
decouple the config change from the database re-load.
Hmm, first test (with filter memberOf=<group-dn>) shows that the
'memberOf' attribute values persisted in the database are preferred and
thus changed group membership will not be reflected in the dyn-list
generated 'memberOf' attribute values.
So one must reload the database right after applying the config change.
Otherwise search results will not be as expected.
Ciao, Michael.
3:26 a.m.
Michael Ströder wrote:
HI!
It's easy to change the config of OpenLDAP 2.5 from "overlay memberof"
to "overlay dynlist" and it just works. Nice. :-)
But the existing database then still contains the 'memberOf' attribute
values.
Ideally one should reload the database. But if anything fails:
Does it do any harm if 'memberOf' attribute values are still present in
the database but slapo-dynlist is supposed to compute 'memberOf'
attribute values based on recently changed group membership?
Old static values are left untouched. They will be present in search results,
and so may go stale over time if not deleted. I suppose dynlist could be
changed to just omit any existing static values, but that's not what it
does at present.
At the end I will instruct the admins to reload databases especially
to
also save space. But it would be less operational stress if I could
decouple the config change from the database re-load.
Ciao, Michael.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
4:29 a.m.
On 8/31/21 12:26, Howard Chu wrote:
Michael Ströder wrote:
> It's easy to change the config of OpenLDAP 2.5 from "overlay memberof"
> to "overlay dynlist" and it just works. Nice. :-)
>
> But the existing database then still contains the 'memberOf' attribute
> values.
>
> Ideally one should reload the database. But if anything fails:
>
> Does it do any harm if 'memberOf' attribute values are still present in
> the database but slapo-dynlist is supposed to compute 'memberOf'
> attribute values based on recently changed group membership?
Old static values are left untouched. They will be present in search results,
and so may go stale over time if not deleted. I suppose dynlist could be
changed to just omit any existing static values, but that's not what it
does at present.
Thanks for the clarification.
Another question in this context:
Will using memberOf attribute in ACLs still work if slapo-dynlist
computes the attribute values?
Ciao, Michael.
646
days inactive
646
days old
openldap-technical@openldap.org
3 comments
2 participants
participants (2)
-
Howard Chu -
Michael Ströder