Hi all,
I'm testing static group and dynamic group.
* Dynmaic group : is it possible to do reverse search in dynamic group ? I reead something about the "ismemberof" attribute and ds-virtual-static-group. But i'm not sure we can do it with openldap
* Static group seems to be fine for me. I have a newbie's question : can we have , for example, the mail attribute of all members of service Y in only one request ? I mean : make a request on service Y to have member's list and , in the same action , have the member's mail.
Thanks all.
Le 05/04/2019 à 10:36, Olivier - a écrit :
Hi all,
Hello,
I'm testing static group and dynamic group.
- Dynmaic group : is it possible to do reverse search in dynamic group ? I reead something about the "ismemberof" attribute and /ds-virtual-static-group/. But i'm not sure we can do it with openldap
Not with dynlist overlay, but you could try autogroup overlay with memberof overlay. The autogroup overlay will build static groups trough a memberUrl.
Static group seems to be fine for me. I have a newbie's question : can we have , for example, the mail attribute of all members of service Y in only one request ? I mean : make a request on service Y to have member's list and , in the same action , have the member's mail.
You could do it by using the "deref" search extended control.
On 05/04/2019 16:33, Clément OUDOT wrote:
Le 05/04/2019 à 10:36, Olivier - a écrit :
Hi all,
Hello,
I'm testing static group and dynamic group.
- Dynmaic group : is it possible to do reverse search in dynamic group ? I reead something about the "ismemberof" attribute and /ds-virtual-static-group/. But i'm not sure we can do it with openldap
Not with dynlist overlay, but you could try autogroup overlay with memberof overlay. The autogroup overlay will build static groups trough a memberUrl.
Static group seems to be fine for me. I have a newbie's question : can we have , for example, the mail attribute of all members of service Y in only one request ? I mean : make a request on service Y to have member's list and , in the same action , have the member's mail.
You could do it by using the "deref" search extended control.
-- Clément Oudot | Identity Solutions Manager
clement.oudot@worteks.com
Worteks |https://www.worteks.com
Hi,
I have implemented a setup like that ("autogroup" and "memberof" overlay, modified dynlist schema to include "member" attribute).
Everything is working, except for the memberOf attribute in combination with autogroup and a groupOfURLs.
E.g. I can list all the members of an autogroup fine if I search for the group, but if I request the memberOf for a certain uid, only the non-autogroup groups are returned.
According to the bits of documentation I could find, everything should be setup correctly, but the memberOf is never set for autogroups.
From #openldap I got the information that this should be working, theoretically, ... see this thread, which describes exactly my use case with the same problems surfacing:
http://www.openldap.org/lists/openldap-bugs/201407/msg00040.html
Any insights on this?
Best regards,
Martin
Le 05/04/2019 à 19:18, Martin Pittamitz a écrit :
On 05/04/2019 16:33, Clément OUDOT wrote:
Le 05/04/2019 à 10:36, Olivier - a écrit :
Hi all,
Hello,
I'm testing static group and dynamic group.
- Dynmaic group : is it possible to do reverse search in dynamic group ? I reead something about the "ismemberof" attribute and /ds-virtual-static-group/. But i'm not sure we can do it with openldap
Not with dynlist overlay, but you could try autogroup overlay with memberof overlay. The autogroup overlay will build static groups trough a memberUrl.
Static group seems to be fine for me. I have a newbie's question : can we have , for example, the mail attribute of all members of service Y in only one request ? I mean : make a request on service Y to have member's list and , in the same action , have the member's mail.
You could do it by using the "deref" search extended control.
-- Clément Oudot | Identity Solutions Manager
clement.oudot@worteks.com
Worteks | https://www.worteks.com
Hi,
I have implemented a setup like that ("autogroup" and "memberof" overlay, modified dynlist schema to include "member" attribute).
Everything is working, except for the memberOf attribute in combination with autogroup and a groupOfURLs.
E.g. I can list all the members of an autogroup fine if I search for the group, but if I request the memberOf for a certain uid, only the non-autogroup groups are returned.
According to the bits of documentation I could find, everything should be setup correctly, but the memberOf is never set for autogroups.
From #openldap I got the information that this should be working, theoretically, ... see this thread, which describes exactly my use case with the same problems surfacing:
http://www.openldap.org/lists/openldap-bugs/201407/msg00040.html
Any insights on this?
Hello,
it seems to work if you set memberOf overlay after autogroup overlay:
dn: olcOverlay={9}autogroup,olcDatabase={1}mdb,cn=config objectClass: top objectClass: olcConfig objectClass: olcAutomaticGroups objectClass: olcOverlayConfig olcOverlay: {9}autogroup olcAGattrSet: {0}groupOfURLs memberURL member
dn: olcOverlay={10}memberof,olcDatabase={1}mdb,cn=config objectClass: olcMemberOf objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {10}memberof olcMemberOfGroupOC: groupOfURLs olcMemberOfMemberAD: member olcMemberOfMemberOfAD: memberOf
On 08/04/2019 10:19, Clément OUDOT wrote:
Hello,
it seems to work if you set memberOf overlay after autogroup overlay:
dn: olcOverlay={9}autogroup,olcDatabase={1}mdb,cn=config objectClass: top objectClass: olcConfig objectClass: olcAutomaticGroups objectClass: olcOverlayConfig olcOverlay: {9}autogroup olcAGattrSet: {0}groupOfURLs memberURL member
dn: olcOverlay={10}memberof,olcDatabase={1}mdb,cn=config objectClass: olcMemberOf objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {10}memberof olcMemberOfGroupOC: groupOfURLs olcMemberOfMemberAD: member olcMemberOfMemberOfAD: memberOf
Hi,
thank you for your valuable feedback. I tried to modify the load order, sadly it didn't have any effect - groupOfURLs are not presented when searching for the memberOf attribute.
For lack of knowledge I have tried deleting and recreating both the groupOfURLs and the groupOfNames, but they don't show up in ldapsearch :-(
Regards Martin
Martin Pittamitz – Tue, 23. April 2019 17:40
On 08/04/2019 10:19, Clément OUDOT wrote:
olcMemberOfGroupOC: groupOfURLs
To clarify - this DOES work after all! Above quote was the important change for me, I had this set to "groupOfNames".
In combination with the correct order of overlays, it works as intended!
Thanks Clement and everyone else!
openldap-technical@openldap.org
-
Clément OUDOT -
Martin Pittamitz -
Olivier -