'Re: olcLimits and groupOfURLs dynlist'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openldap-technical
Subject:    Re: olcLimits and groupOfURLs dynlist
From:       Howard Chu <hyc () symas ! com>
Date:       2024-02-08 0:34:43
Message-ID: 54ce365e-a2fb-2650-605c-baece07591d7 () symas ! com
[Download RAW message or body]

Norman Gray wrote:
> 
> Howard, hello.
> 
> On 7 Feb 2024, at 19:36, Howard Chu wrote:
> 
> > > If I then make a query which has a few results, I do not get this limit
> > > imposed, and instead see in the logs
> > > 
> > > 65c3ce83.0f52bea8 0x16e9d3000 => mdb_entry_get: found entry:
> "cn=ldap-operators,ou=groups,o=example"
> > > 65c3ce83.0f533f90 0x16e9d3000 <= mdb_entry_get: failed to find attribute member
> > 
> > And those logs are correct, the group entry you specified has no member \
> > attribute. What it has is a memberURL attribute, and that's what you should have \
> > configured in your olcLimits statement.
> 
> Aha.  I had taken the description to refer to the synthesised 'member' attributes \
> in the dynamically generated group.  Thanks for this.
> 
> On changing this, though, to
> 
> olcLimits: group/groupOfURLs/memberURL="cn=ldap-operators,ou=groups,o=example" \
> size=2 
> and making a query, I now see in the logs (with -d-1):
> 
> 65c3df21.21fa70c8 0x16cacf000 ==> limits_get: conn=1000 op=1 \
> self="uid=norman,ou=staff,o=example" this="o=example" 65c3df21.21fa97d8 0x16cacf000 \
> => mdb_entry_get: ndn: "cn=ldap-operators,ou=groups,o=example" 65c3df21.21fab718 \
> 0x16cacf000 => mdb_entry_get: oc: "groupOfURLs", at: "memberURL" 65c3df21.21fb1ca8 \
> 0x16cacf000 mdb_dn2entry("cn=ldap-operators,ou=groups,o=example") 65c3df21.21fb4b88 \
> 0x16cacf000 => mdb_dn2id("cn=ldap-operators,ou=groups,o=example") 65c3df21.21fb8a08 \
> 0x16cacf000 <= mdb_dn2id: got id=0x2857 65c3df21.21fbb8e8 0x16cacf000 => \
> mdb_entry_decode: 65c3df21.21fbd440 0x16cacf000 <= mdb_entry_decode
> 65c3df21.21fbef98 0x16cacf000 => mdb_entry_get: found entry: \
> "cn=ldap-operators,ou=groups,o=example" 65c3df21.21fc0ed8 0x16cacf000 \
> mdb_entry_get: rc=0 65c3df21.21fc2a30 0x16cacf000 \
> ldap_url_parse_ext(ldap:///ou=groups,o=example?member?sub?(|(cn=ldap-admins-*)(cn=ldap-techs)))
> 

The above URL is not valid for a dynamic group. The attrs portion of the URL must be \
empty.

Since it's invalid, after it is parsed it gets ignored.

> There's no mention of 'limits' after this point in the log.


-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic