[prev in list] [next in list] [prev in thread] [next in thread]
List: openldap-technical
Subject: Re: olcLimits and groupOfURLs dynlist
From: Howard Chu <hyc () symas ! com>
Date: 2024-02-08 0:34:43
Message-ID: 54ce365e-a2fb-2650-605c-baece07591d7 () symas ! com
[Download RAW message or body]
Norman Gray wrote:
>
> Howard, hello.
>
> On 7 Feb 2024, at 19:36, Howard Chu wrote:
>
> > > If I then make a query which has a few results, I do not get this limit
> > > imposed, and instead see in the logs
> > >
> > > 65c3ce83.0f52bea8 0x16e9d3000 => mdb_entry_get: found entry:
> "cn=ldap-operators,ou=groups,o=example"
> > > 65c3ce83.0f533f90 0x16e9d3000 <= mdb_entry_get: failed to find attribute member
> >
> > And those logs are correct, the group entry you specified has no member \
> > attribute. What it has is a memberURL attribute, and that's what you should have \
> > configured in your olcLimits statement.
>
> Aha. I had taken the description to refer to the synthesised 'member' attributes \
> in the dynamically generated group. Thanks for this.
>
> On changing this, though, to
>
> olcLimits: group/groupOfURLs/memberURL="cn=ldap-operators,ou=groups,o=example" \
> size=2
> and making a query, I now see in the logs (with -d-1):
>
> 65c3df21.21fa70c8 0x16cacf000 ==> limits_get: conn=1000 op=1 \
> self="uid=norman,ou=staff,o=example" this="o=example" 65c3df21.21fa97d8 0x16cacf000 \
> => mdb_entry_get: ndn: "cn=ldap-operators,ou=groups,o=example" 65c3df21.21fab718 \
> 0x16cacf000 => mdb_entry_get: oc: "groupOfURLs", at: "memberURL" 65c3df21.21fb1ca8 \
> 0x16cacf000 mdb_dn2entry("cn=ldap-operators,ou=groups,o=example") 65c3df21.21fb4b88 \
> 0x16cacf000 => mdb_dn2id("cn=ldap-operators,ou=groups,o=example") 65c3df21.21fb8a08 \
> 0x16cacf000 <= mdb_dn2id: got id=0x2857 65c3df21.21fbb8e8 0x16cacf000 => \
> mdb_entry_decode: 65c3df21.21fbd440 0x16cacf000 <= mdb_entry_decode
> 65c3df21.21fbef98 0x16cacf000 => mdb_entry_get: found entry: \
> "cn=ldap-operators,ou=groups,o=example" 65c3df21.21fc0ed8 0x16cacf000 \
> mdb_entry_get: rc=0 65c3df21.21fc2a30 0x16cacf000 \
> ldap_url_parse_ext(ldap:///ou=groups,o=example?member?sub?(|(cn=ldap-admins-*)(cn=ldap-techs)))
>
The above URL is not valid for a dynamic group. The attrs portion of the URL must be \
empty.
Since it's invalid, after it is parsed it gets ignored.
> There's no mention of 'limits' after this point in the log.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic