[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openldap-bugs
Subject:    [Issue 9402] Add support for LDAP_MATCHING_RULE_IN_CHAIN (1.2.840.113556.1.4.1941)
From:       openldap-its () openldap ! org
Date:       2020-11-23 11:01:39
Message-ID: bug-9402-2-VKvCgKxEIC () http ! bugs ! openldap ! org/
[Download RAW message or body]

https://bugs.openldap.org/show_bug.cgi?id=9402

--- Comment #6 from Vincent Danjean <vdanjean.ml@free.fr> ---
(In reply to Howard Chu from comment #5)
> OpenLDAP 2.5 already supports nested groups using the dynlist overlay.
> Closing this ITS.

dynlist seems indeed a great feature. I would say that it seems to lack a bit
of documentation/examples, but, from what I read, it allows one to do powerfull
things.
  With respect to nested groups, it is possible that, for reader LDAP client
(ie most applications using ldap for authentication), dynlist (and autogroup)
would be a good solution (I'm not sure that it will work with dynlist object
refering to other dynlist as the slapo-dynlist(5) manpage says "No recursion is
allowed, to avoid potential infinite loops." I will need to do tests).
  However, using this feature requires writer LDAP clients (at least
fusiondirectory in my case) to support this new feature (new attribute to
handle, different way to create groups, etc.) So less software to patch, but
still software to patch to support nested groups.

My point is just to say that dynlist/autogroup overlay and my initial request
are not the same things. That said, if dynlist allows one to create recursive
nested groups, I fully understand that you do not want to support an
alternative (that would probably be less efficient).

But, for my use case, as fusiondirectory does not (yet) support dynlist (it
should in the next version), I will write scripts that duplicate nested groups
in another ldap branch by flatening them, so that reader LDAP client that do
not support nested groups can be told to look into this alternative hierarchy.

Many thanks for your feedback and the pointers to dynlist/autogroup. I will
look at them with attention.

-- 
You are receiving this mail because:
You are on the CC list for the issue.=
[prev in list] [next in list] [prev in thread] [next in thread]