1:36 a.m.
Hi all,
I'm testing static group and dynamic group.
* Dynmaic group : is it possible to do reverse search in dynamic group ? I reead
something about the "ismemberof" attribute and ds-virtual-static-group. But
i'm not sure we can do it with openldap
* Static group seems to be fine for me. I have a newbie's question :
can we have , for example, the mail attribute of all members of service Y in only one
request ?
I mean : make a request on service Y to have member's list and , in the same action ,
have the member's mail.
Thanks all.
7:33 a.m.
Le 05/04/2019 à 10:36, Olivier - a écrit :
Hi all,
Hello,
I'm testing static group and dynamic group.
* Dynmaic group : is it possible to do reverse search in dynamic
group ? I reead something about the "ismemberof" attribute and
/ds-virtual-static-group/. But i'm not sure we can do it with openldap
Not with dynlist overlay, but you could try autogroup overlay with
memberof overlay. The autogroup overlay will build static groups trough
a memberUrl.
*
* Static group seems to be fine for me. I have a newbie's question :
can we have , for example, the mail attribute of all members of
service Y in only one request ?
I mean : make a request on service Y to have member's list and ,
in the same action , have the member's mail.
You could do it by using the "deref" search extended control.
--
Clément Oudot | Identity Solutions Manager
clement.oudot(a)worteks.com
Worteks | https://www.worteks.com
10:18 a.m.
On 05/04/2019 16:33, Clément OUDOT wrote:
Le 05/04/2019 à 10:36, Olivier - a écrit :
> Hi all,
>
Hello,
> I'm testing static group and dynamic group.
>
> * Dynmaic group : is it possible to do reverse search in dynamic
> group ? I reead something about the "ismemberof" attribute and
> /ds-virtual-static-group/. But i'm not sure we can do it with
> openldap
>
Not with dynlist overlay, but you could try autogroup overlay with
memberof overlay. The autogroup overlay will build static groups
trough a memberUrl.
> *
>
>
>
>
> * Static group seems to be fine for me. I have a newbie's question :
> can we have , for example, the mail attribute of all members of
> service Y in only one request ?
> I mean : make a request on service Y to have member's list and ,
> in the same action , have the member's mail.
>
You could do it by using the "deref" search extended control.
--
Clément Oudot | Identity Solutions Manager
clement.oudot(a)worteks.com
Worteks |https://www.worteks.com
Hi,
I have implemented a setup like that ("autogroup" and "memberof"
overlay, modified dynlist schema to include "member" attribute).
Everything is working, except for the memberOf attribute in combination
with autogroup and a groupOfURLs.
E.g. I can list all the members of an autogroup fine if I search for the
group, but if I request the memberOf for a certain uid, only the
non-autogroup groups are returned.
According to the bits of documentation I could find, everything should
be setup correctly, but the memberOf is never set for autogroups.
From #openldap I got the information that this should be working,
theoretically, ... see this thread, which describes exactly my use case
with the same problems surfacing:
http://www.openldap.org/lists/openldap-bugs/201407/msg00040.html
Any insights on this?
Best regards,
Martin
1:19 a.m.
Le 05/04/2019 à 19:18, Martin Pittamitz a écrit :
On 05/04/2019 16:33, Clément OUDOT wrote:
>
>
> Le 05/04/2019 à 10:36, Olivier - a écrit :
>> Hi all,
>>
>
> Hello,
>
>
>> I'm testing static group and dynamic group.
>>
>> * Dynmaic group : is it possible to do reverse search in dynamic
>> group ? I reead something about the "ismemberof" attribute and
>> /ds-virtual-static-group/. But i'm not sure we can do it with
>> openldap
>>
>
> Not with dynlist overlay, but you could try autogroup overlay with
> memberof overlay. The autogroup overlay will build static groups
> trough a memberUrl.
>
>
>
>> *
>>
>>
>>
>>
>> * Static group seems to be fine for me. I have a newbie's question :
>> can we have , for example, the mail attribute of all members of
>> service Y in only one request ?
>> I mean : make a request on service Y to have member's list and ,
>> in the same action , have the member's mail.
>>
>
> You could do it by using the "deref" search extended control.
>
>
>
> --
> Clément Oudot | Identity Solutions Manager
>
> clement.oudot(a)worteks.com
>
> Worteks | https://www.worteks.com
Hi,
I have implemented a setup like that ("autogroup" and "memberof"
overlay, modified dynlist schema to include "member" attribute).
Everything is working, except for the memberOf attribute in
combination with autogroup and a groupOfURLs.
E.g. I can list all the members of an autogroup fine if I search for
the group, but if I request the memberOf for a certain uid, only the
non-autogroup groups are returned.
According to the bits of documentation I could find, everything should
be setup correctly, but the memberOf is never set for autogroups.
From #openldap I got the information that this should be working,
theoretically, ... see this thread, which describes exactly my use
case with the same problems surfacing:
http://www.openldap.org/lists/openldap-bugs/201407/msg00040.html
Any insights on this?
Hello,
it seems to work if you set memberOf overlay after autogroup overlay:
dn: olcOverlay={9}autogroup,olcDatabase={1}mdb,cn=config
objectClass: top
objectClass: olcConfig
objectClass: olcAutomaticGroups
objectClass: olcOverlayConfig
olcOverlay: {9}autogroup
olcAGattrSet: {0}groupOfURLs memberURL member
dn: olcOverlay={10}memberof,olcDatabase={1}mdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {10}memberof
olcMemberOfGroupOC: groupOfURLs
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
--
Clément Oudot | Identity Solutions Manager
clement.oudot(a)worteks.com
Worteks | https://www.worteks.com
7:44 a.m.
On 08/04/2019 10:19, Clément OUDOT wrote:
Hello,
it seems to work if you set memberOf overlay after autogroup overlay:
dn: olcOverlay={9}autogroup,olcDatabase={1}mdb,cn=config
objectClass: top
objectClass: olcConfig
objectClass: olcAutomaticGroups
objectClass: olcOverlayConfig
olcOverlay: {9}autogroup
olcAGattrSet: {0}groupOfURLs memberURL member
dn: olcOverlay={10}memberof,olcDatabase={1}mdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {10}memberof
olcMemberOfGroupOC: groupOfURLs
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
Hi,
thank you for your valuable feedback. I tried to modify the load order,
sadly it didn't have any effect - groupOfURLs are not presented when
searching for the memberOf attribute.
For lack of knowledge I have tried deleting and recreating both the
groupOfURLs and the groupOfNames, but they don't show up in ldapsearch :-(
Regards
Martin
5:24 a.m.
Martin Pittamitz – Tue, 23. April 2019 17:40
On 08/04/2019 10:19, Clément OUDOT wrote:
> olcMemberOfGroupOC: groupOfURLs
To clarify - this DOES work after all!
Above quote was the important change for me, I had this set to "groupOfNames".
In combination with the correct order of overlays, it works as intended!
Thanks Clement and everyone else!
1494
days inactive
1514
days old
openldap-technical@openldap.org
5 comments
3 participants
participants (3)
-
Clément OUDOT -
Martin Pittamitz -
Olivier -