Hello list,
I have an openldap 2.4.49 (ubuntu 20.04 LTS) server pair running with syncrepl. I also have memberof overlay activated and during a debug session found out that this is a no-go. I was debugging a problem where an user record that is in two groups only shows one memberOf attribute value whereas other users show the expected amount of memberOf values.
Now I'm looking into replacing the memberof overlay but it appears that for my use case there is no replacement at all.
dynlist seems made to create dynamic groups or lists respectively but everything in my DIT is a static group and static users. They are created by a commercial product and I am unable to add further specific URL attributes there when new entries are created.
I stumbled upon https://www.mail-archive.com/openldap-technical@openldap.org/msg26067.html via google search, but blindly copying the dynlist-attrset merely causes the slapd to reply with "/etc/ldap/slapd.conf: line 149: "dynlist-attrset <oc> [uri] <URL-ad> [[<mapped-ad>:]<member-ad> ...]": unable to find AttributeDescription #0 "member+memberOf@groupOfNames"#012. " on startup and stopping immediately. I suppose it needs some schema extension but of what I don't understand and neither will I have a trigger objectClass unless I could just use inetOrgPerson as trigger and have it work.
Is there a way to get back "synthetic" memberOf entries on static user records (which are inetOrgPerson) with static groups (which are groupOfNames) on openldap 2.4.49 without adding any special attributes into users and/or groups themselves ?
Kind regards,
René
--On Tuesday, May 10, 2022 5:57 PM +0200 René Gallati rene.gallati@ergon.ch wrote:
Hello list,
I have an openldap 2.4.49 (ubuntu 20.04 LTS) server pair running with syncrepl. I also have memberof overlay activated and during a debug session found out that this is a no-go. I was debugging a problem where an user record that is in two groups only shows one memberOf attribute value whereas other users show the expected amount of memberOf values.
Now I'm looking into replacing the memberof overlay but it appears that for my use case there is no replacement at all.
Hello,
OpenLDAP 2.4.49 is no longer supported nor does it have the functionality you are after. You need to upgrade to OpenLDAP 2.5 or later to make use of the updated version of dynlist.
If you are unable to package OpenLDAP 2.5 yourself, you may want to use the freely available from Symas or the LTB project.
Symas: https://repo.symas.com/soldap2.5/
LTB: https://ltb-project.org/download.html
Regards, Quanah
On 10.05.22 17:04, Quanah Gibson-Mount wrote:
--On Tuesday, May 10, 2022 5:57 PM +0200 René Gallati rene.gallati@ergon.ch wrote:
Hello list,
I have an openldap 2.4.49 (ubuntu 20.04 LTS) server pair running with syncrepl. I also have memberof overlay activated and during a debug session found out that this is a no-go. I was debugging a problem where an user record that is in two groups only shows one memberOf attribute value whereas other users show the expected amount of memberOf values.
Now I'm looking into replacing the memberof overlay but it appears that for my use case there is no replacement at all.
Hello,
OpenLDAP 2.4.49 is no longer supported nor does it have the functionality you are after. You need to upgrade to OpenLDAP 2.5 or later to make use of the updated version of dynlist.
If you are unable to package OpenLDAP 2.5 yourself, you may want to use the freely available from Symas or the LTB project.
Symas: https://repo.symas.com/soldap2.5/
LTB: https://ltb-project.org/download.html
Regards, Quanah
Hello Quanah,
thanks for the quick reply. I am not married to that specific version it was just what came with Ubuntu 20.04LTS. But I see that 22.04LTS actually has 2.5.11 in its base repository. I'm going to see if upgrading / reinstalling on that os is the easier way for us. Luckily I have a dev environment to play around.
When on openldap 2.5, is the correct way to do it with the
"dynlist-attrset groupOfURLs memberURL member+memberOf@groupOfNames"
syntax? I am a bit confused by the URL parameters which I don't have and cannot have but seem to be required.
Regards,
René
--
Hello Quanah,
thanks for the quick reply. I am not married to that specific version it was just what came with Ubuntu 20.04LTS. But I see that 22.04LTS actually has 2.5.11 in its base repository. I'm going to see if upgrading / reinstalling on that os is the easier way for us. Luckily I have a dev environment to play around.
When on openldap 2.5, is the correct way to do it with the
"dynlist-attrset groupOfURLs memberURL member+memberOf@groupOfNames"
syntax? I am a bit confused by the URL parameters which I don't have and cannot have but seem to be required.
You simply need to load the dyngroup schema that ships with OpenLDAP. You don't actually nee to set groupOfUrls or memberURL in your group objects (although you could if you wanted to mix static+dynamic groups), it's only processed if present.
Regards, Quanah
On 10.05.22 17:27, Quanah Gibson-Mount wrote:
Hello Quanah,
thanks for the quick reply. I am not married to that specific version it was just what came with Ubuntu 20.04LTS. But I see that 22.04LTS actually has 2.5.11 in its base repository. I'm going to see if upgrading / reinstalling on that os is the easier way for us. Luckily I have a dev environment to play around.
When on openldap 2.5, is the correct way to do it with the
"dynlist-attrset groupOfURLs memberURL member+memberOf@groupOfNames"
syntax? I am a bit confused by the URL parameters which I don't have and cannot have but seem to be required.
You simply need to load the dyngroup schema that ships with OpenLDAP. You don't actually nee to set groupOfUrls or memberURL in your group objects (although you could if you wanted to mix static+dynamic groups), it's only processed if present.
Hello Quanah,
just wanted to give feedback on this for future references. I upgraded / reinstalled a system in the test environment with Ubuntu 22.04 which uses slapd 2.5.11+dfsg-1~exp1ubuntu3 which is very similar or probably the exact identical one also available on https://repo.symas.com/soldap2.5/
Using that and basically a configuration containing:
include /etc/ldap/schema/dyngroup.schema .. moduleload dynlist.la .. overlay dynlist dynlist-attrset groupOfURLs memberURL member+memberOf@groupOfNames ..
were sufficient to get it to automatically show memberOf attributes for the static groups in the static users.
So thanks for the information and help
Kind regards,
René
--On Tuesday, May 17, 2022 5:11 PM +0200 René Gallati rene.gallati@ergon.ch wrote:
just wanted to give feedback on this for future references. I upgraded / reinstalled a system in the test environment with Ubuntu 22.04 which uses slapd 2.5.11+dfsg-1~exp1ubuntu3 which is very similar or probably the exact identical one also available on https://repo.symas.com/soldap2.5/
It won't be for long, a 2.5.12 released and has a fix for dynlist:
Fixed slapo-dynlist dynamic group regression (ITS#9825)
Ubuntu & Debian won't pick that fix up, Symas will. Same for any other future bug fixes that aren't major CVEs.
--Quanah
openldap-technical@openldap.org
-
Quanah Gibson-Mount -
René Gallati