[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openldap-technical
Subject:    Re: olcLimits and groupOfURLs dynlist
From:       Norman Gray <gray () nxg ! name>
Date:       2024-02-07 20:30:27
Message-ID: F3330474-81CF-4DB1-AB72-976D4B50A288 () nxg ! name
[Download RAW message or body]


Howard, hello.

On 7 Feb 2024, at 19:36, Howard Chu wrote:

> > If I then make a query which has a few results, I do not get this limit
> > imposed, and instead see in the logs
> > 
> > 65c3ce83.0f52bea8 0x16e9d3000 => mdb_entry_get: found entry:
"cn=ldap-operators,ou=groups,o=example"
> > 65c3ce83.0f533f90 0x16e9d3000 <= mdb_entry_get: failed to find attribute member
> 
> And those logs are correct, the group entry you specified has no member attribute.
> What it has is a memberURL attribute, and that's what you should have configured
> in your olcLimits statement.

Aha.  I had taken the description to refer to the synthesised 'member' attributes in \
the dynamically generated group.  Thanks for this.

On changing this, though, to

    olcLimits: group/groupOfURLs/memberURL="cn=ldap-operators,ou=groups,o=example" \
size=2

and making a query, I now see in the logs (with -d-1):

    65c3df21.21fa70c8 0x16cacf000 ==> limits_get: conn=1000 op=1 \
self="uid=norman,ou=staff,o=example" this="o=example"  65c3df21.21fa97d8 0x16cacf000 \
=> mdb_entry_get: ndn: "cn=ldap-operators,ou=groups,o=example"  65c3df21.21fab718 \
0x16cacf000 => mdb_entry_get: oc: "groupOfURLs", at: "memberURL"  65c3df21.21fb1ca8 \
0x16cacf000 mdb_dn2entry("cn=ldap-operators,ou=groups,o=example")  65c3df21.21fb4b88 \
0x16cacf000 => mdb_dn2id("cn=ldap-operators,ou=groups,o=example")  65c3df21.21fb8a08 \
0x16cacf000 <= mdb_dn2id: got id=0x2857  65c3df21.21fbb8e8 0x16cacf000 => \
mdb_entry_decode:  65c3df21.21fbd440 0x16cacf000 <= mdb_entry_decode
    65c3df21.21fbef98 0x16cacf000 => mdb_entry_get: found entry: \
"cn=ldap-operators,ou=groups,o=example"  65c3df21.21fc0ed8 0x16cacf000 mdb_entry_get: \
rc=0  65c3df21.21fc2a30 0x16cacf000 \
ldap_url_parse_ext(ldap:///ou=groups,o=example?member?sub?(|(cn=ldap-admins-*)(cn=ldap-techs)))
  65c3df21.21fc7c38 0x16cacf000 => mdb_search
    65c3df21.21fcb6d0 0x16cacf000 mdb_dn2entry("o=example")
    65c3df21.21fcd9f8 0x16cacf000 => mdb_dn2id("o=example")
    65c3df21.21fcf938 0x16cacf000 <= mdb_dn2id: got id=0x1
    65c3df21.21fd1490 0x16cacf000 => mdb_entry_decode:
    65c3df21.21fd2fe8 0x16cacf000 <= mdb_entry_decode
    65c3df21.21fd4b40 0x16cacf000 => access_allowed: search access to "o=example" \
"entry" requested

There's no mention of 'limits' after this point in the log.

Thus it's finding the right entry and attribute, and parsing the URL
therein, but it's not clear what it's concluding.  When a search is
performed as a user who is included in the synthesised
cn=ldap-operators (confirmed by a search for that group), the query
results are not limited to 2 objects.

That 2-object limit is what I see in the corresponding configuration
when ldap-operators is a groupOfNames with explicit member attributes:

    65c3e6ae.1da1a5c8 0x16e80b000 ==> limits_get: conn=1000 op=1 \
self="uid=norman,ou=staff,o=example" this="o=example"  65c3e6ae.1da1c8f0 0x16e80b000 \
=> mdb_entry_get: ndn: "cn=ldap-operators,ou=groups,o=example"  65c3e6ae.1da1e060 \
0x16e80b000 => mdb_entry_get: oc: "groupOfNames", at: "member"  65c3e6ae.1da226b0 \
0x16e80b000 mdb_dn2entry("cn=ldap-operators,ou=groups,o=example")  65c3e6ae.1da24dc0 \
0x16e80b000 => mdb_dn2id("cn=ldap-operators,ou=groups,o=example")  65c3e6ae.1da28088 \
0x16e80b000 <= mdb_dn2id: got id=0x2857  65c3e6ae.1da2ab80 0x16e80b000 => \
mdb_entry_decode:  65c3e6ae.1da2c6d8 0x16e80b000 <= mdb_entry_decode
    65c3e6ae.1da2de48 0x16e80b000 => mdb_entry_get: found entry: \
"cn=ldap-operators,ou=groups,o=example"  65c3e6ae.1da2fd88 0x16e80b000 mdb_entry_get: \
rc=0  65c3e6ae.1da31cc8 0x16e80b000 dnMatch 0
            "uid=norman,ou=staff,o=example"
            "uid=norman,ou=staff,o=example"
    65c3e6ae.1da33c08 0x16e80b000 <== limits_get: type=GROUP match=EXACT \
dn="cn=ldap-operators,ou=groups,o=example" oc="groupOfNames" ad="member"  \
65c3e6ae.1da36700 0x16e80b000 => mdb_search  65c3e6ae.1da3bcf0 0x16e80b000 \
mdb_dn2entry("o=example")  65c3e6ae.1da3e018 0x16e80b000 => mdb_dn2id("o=example")
    65c3e6ae.1da3fb70 0x16e80b000 <= mdb_dn2id: got id=0x1
    65c3e6ae.1da41ab0 0x16e80b000 => mdb_entry_decode:
    65c3e6ae.1da43220 0x16e80b000 <= mdb_entry_decode
    65c3e6ae.1da44d78 0x16e80b000 => access_allowed: search access to "o=example" \
"entry" requested

(interestingly, the string 'limit' doesn't subsequently appear in this
-d-1 log, either)

So I'm afraid I'm still puzzled.

Norman




-- 
Norman Gray  :  https://nxg.me.uk


[prev in list] [next in list] [prev in thread] [next in thread]