11:37 a.m.
Hi,
I want to have some kind of dn-based association between two custom
entries (e.g. account<--dn-->device). Therefore I use a combination of
the memberOf- and refint overlay (configuration inspired by test057).
I use a custom schema:
An auxiliary objectClass called "association". It has only one
may-attribute called "associate".
The custom 'memberOf'-Attribute is called "associationOf", which is a
may-attribute of the objectClass "myAccount" (derived from account):
OpenLDAP Version: git OPENLDAP_REL_ENG_2_4
#example.com.schema
#
attributeType ( 1.3.6.1.4.1.9999999.10.1.1 NAME 'associate'
DESC 'an associate' SUP distinguishedName )
attributeType ( 1.3.6.1.4.1.9999999.10.1.2 NAME 'associateOf'
DESC 'associate of' SUP distinguishedName )
objectClass ( 1.3.6.1.4.1.9999999.10.2.1 NAME 'association'
DESC 'association'
SUP top
AUXILIARY
MAY ( associate ) )
objectClass ( 1.3.6.1.4.1.9999999.10.2.2 NAME 'myAccount'
DESC 'my account'
SUP account
STRUCTURAL
MAY ( associateOf ) )
#slapd.conf
#
include /opt/slapd_example.com/etc/openldap/schema/core.schema
include /opt/slapd_example.com/etc/openldap/schema/cosine.schema
include /opt/slapd_example.com/etc/openldap/schema/ppolicy.schema
include /opt/slapd_example.com/etc/example.com.schema
pidfile /opt/slapd_example.com/var/run/slapd.pid
argsfile /opt/slapd_example.com/var/run/slapd.args
loglevel none
password-hash {CLEARTEXT}
attributeOptions lang-
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
database config
rootdn "cn=admin,dc=example,dc=com"
database mdb
suffix "dc=example,dc=com"
rootdn "cn=admin,dc=example,dc=com"
rootpw "admin"
directory /opt/slapd_example.com/var/openldap-data
index objectClass,cn,ou,o,dc eq
add_content_acl on
overlay memberof
memberof-group-oc association
memberof-member-ad associate
memberof-memberof-ad associateOf
memberof-dangling ignore
memberof-refint FALSE
memberof-dn olcOverlay={1}memberof,olcDatabase={2}mdb,cn=config
overlay refint
refint_attributes associate associateOf
refint_nothing olcOverlay={0}refint,olcDatabase={2}mdb,cn=config
refint_modifiersname olcOverlay={0}refint,olcDatabase={2}mdb,cn=config
#After starting the server, first I add a custom account:
#
cat << EOF | ldapmodify -x -H "ldap://localhost:2389/" -D
"cn=admin,dc=example,dc=com" -w admin
dn: uid=myAccount,dc=example,dc=com
changetype: add
objectClass: top
objectClass: myAccount
uid: myAccount
EOF
#Then I add a naked device:
#
cat << EOF | ldapmodify -x -H "ldap://localhost:2389/" -D
"cn=admin,dc=example,dc=com" -w admin
dn: cn=device,dc=example,dc=com
changetype: add
objectClass: top
objectClass: device
cn: device
EOF
Now I try to associate them using a single modify operation (adding the
aux-objectClass association and the associate attribute).
This approach fails, that means: The operation passes without error, but
the account's associationOf attribute isn't added.
#This modify operation seems to be ignored by memberOf-overlay:
#
cat << EOF | ldapmodify -x -H "ldap://localhost:2389/" -D
"cn=admin,dc=example,dc=com" -w admin
dn: cn=device,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: association
-
add: associate
associate: uid=myAccount,dc=example,dc=com
-
EOF
#slapd-log (loglevel -1), see attached all-inclusive-modify.log
#Checking the results:
#
ldapsearch -x -H "ldap://localhost:2389/" -D
"cn=admin,dc=example,dc=com" -w admin -b "dc=example,dc=com" -s one
'(objectClass=*)'
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope oneLevel
# filter: (objectClass=*)
# requesting: ALL
#
# device, example.com
dn: cn=device,dc=example,dc=com
objectClass: top
objectClass: device
objectClass: association
cn: device
associate: uid=myAccount,dc=example,dc=com
# myAccount, example.com
dn: uid=myAccount,dc=example,dc=com
objectClass: top
objectClass: myAccount
uid: myAccount
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
The second approach (resetting the device and myAccount entry and split
the above modify operation into two operations works fine. Details see here:
#Splitting the previous modify operation into two works fine:
#
cat << EOF | ldapmodify -x -H "ldap://localhost:2389/" -D
"cn=admin,dc=example,dc=com" -w admin
dn: cn=device,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: association
EOF
cat << EOF | ldapmodify -x -H "ldap://localhost:2389/" -D
"cn=admin,dc=example,dc=com" -w admin
dn: cn=device,dc=example,dc=com
changetype: modify
add: associate
associate: uid=myAccount,dc=example,dc=com
EOF
#slapd-log (loglevel -1), see attached split-modify.log
#Checking the results:
#
ldapsearch -x -H "ldap://localhost:2389/" -D
"cn=admin,dc=example,dc=com" -w admin -b "dc=example,dc=com" -s one
'(objectClass=*)'
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope oneLevel
# filter: (objectClass=*)
# requesting: ALL
#
# device, example.com
dn: cn=device,dc=example,dc=com
objectClass: top
objectClass: device
objectClass: association
cn: device
associate: uid=myAccount,dc=example,dc=com
# myAccount, example.com
dn: uid=myAccount,dc=example,dc=com
objectClass: top
objectClass: myAccount
uid: myAccount
associateOf: cn=device,dc=example,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
Long story, short question:
Is this the intended behaviour? If not is it caused by a
misconfiguration or a bug?
Thank you very much for your help!
Best regards
Dora
8:15 a.m.
Dora,
Am 01.12.2015 um 20:37 Uhr schrieb Dora Paula:
#This modify operation seems to be ignored by memberOf-overlay:
#
cat << EOF | ldapmodify -x -H "ldap://localhost:2389/" -D
"cn=admin,dc=example,dc=com" -w admin
dn: cn=device,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: association
-
add: associate
associate: uid=myAccount,dc=example,dc=com
-
EOF
The second approach (resetting the device and myAccount entry and
split
the above modify operation into two operations works fine. Details see
here:
#Splitting the previous modify operation into two works fine:
#
cat << EOF | ldapmodify -x -H "ldap://localhost:2389/" -D
"cn=admin,dc=example,dc=com" -w admin
dn: cn=device,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: association
EOF
cat << EOF | ldapmodify -x -H "ldap://localhost:2389/" -D
"cn=admin,dc=example,dc=com" -w admin
dn: cn=device,dc=example,dc=com
changetype: modify
add: associate
associate: uid=myAccount,dc=example,dc=com
EOF
#slapd-log (loglevel -1), see attached split-modify.log
#Checking the results:
#
ldapsearch -x -H "ldap://localhost:2389/" -D
"cn=admin,dc=example,dc=com" -w admin -b "dc=example,dc=com" -s one
'(objectClass=*)'
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope oneLevel
# filter: (objectClass=*)
# requesting: ALL
#
# device, example.com
dn: cn=device,dc=example,dc=com
objectClass: top
objectClass: device
objectClass: association
cn: device
associate: uid=myAccount,dc=example,dc=com
# myAccount, example.com
dn: uid=myAccount,dc=example,dc=com
objectClass: top
objectClass: myAccount
uid: myAccount
associateOf: cn=device,dc=example,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
Long story, short question:
Is this the intended behaviour? If not is it caused by a
misconfiguration or a bug?
this is only a guess, maybe someone as a better
understanding of the
underlayings:
In your one shot operation the object is not analyzed by the overlay,
because it is just in the process of being an object with the observed
objectclass: memberof-group-oc association
This would explain, why your two shot approach is working as expected.
And since it does, I don't think you made an error.
Marc
2861
days inactive
2862
days old
openldap-technical@openldap.org
1 comments
2 participants
participants (2)
-
Dora Paula -
Marc Patermann