'Re: olcLimits and groupOfURLs dynlist'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openldap-technical
Subject:    Re: olcLimits and groupOfURLs dynlist
From:       Norman Gray <gray () nxg ! name>
Date:       2024-02-08 15:51:55
Message-ID: BB108807-0DE1-4E30-9F78-D10509AB7DFF () nxg ! name
[Download RAW message or body]


Howard, hello.

On 8 Feb 2024, at 15:07, Howard Chu wrote:

> > Norman Gray wrote:
> > 
> > Howard, hello.
> > 
> > On 8 Feb 2024, at 0:34, Howard Chu wrote:
> > 
> > > 65c3df21.21fc2a30 0x16cacf000 \
> > > ldap_url_parse_ext(ldap:///ou=groups,o=example?member?sub?(|(cn=ldap-admins-*)(cn=ldap-techs)))
> > >  
> > > The above URL is not valid for a dynamic group. The attrs portion of the URL \
> > > must be empty. 
> > > Since it's invalid, after it is parsed it gets ignored.
> > 
> > That's true when constructing what slapo-dynlist(5) calls a dynamic
> > group, but that's not what I'm constructing here, but instead a group
> > entry which is dynamically expanded, to a group, by a search.
> 
> Whatever you've constructed is not a dynamic group, as defined in slapo-dynlist.
> As such, it is not supported for the purpose you're asking.

Indeed -- it's not a 'dynamic group' in the terms of slapo-dynlist, but it is an \
entry which has a set of 'member' attributes, which is dynamically constructed \
(whatever one wants to call this).

But I can't see that matters, since the slapd-config(5) text covering the olcLimits \
configuration attribute seems to clearly indicate that

    olcLimits: group/groupOfURLs/member="cn=ldap-operators,ou=groups,o=example" \
size=2

'sets the limits for any DN listed in the values of the [member] attribute of the \
[groupOfURLs] group whose DN exactly matches \
["cn=ldap-operators,ou=groups,o=example"]' (where [...] fills in the blanks in the \
text there as I understand it).  I can't see a way of interpreting this manpage text \
which doesn't match this situation.  This works as expected when cn=ldap-operators is \
an entry which is not dynamically expanded.

It doesn't say that that group has to be a 'dynamic group in the terms of \
slapo-dynlist', it just says 'group'.

And slapo-dynlist says:

> Any time an entry with a specific objectClass is being returned,
> the LDAP URI-valued occurrences of a specific attribute are expanded
> into the corresponding entries, and the values of the attributes listed
> in the URI are added to the original entry.

This is exactly what happens when I ldapsearch the directory for this \
cn=ldap-operators entry, and what does not happen (because slapd logs that it can't \
find an attribute 'member') when the same group is returned from a search during \
processing of olcLimits.

The slapo-dynlist text says 'Any time an entry with a specific objectClass is being \
returned...'.  It  doesn't say 'returned in response to an external query', it just \
says 'returned', which I of course take to include returned in response to an \
internal query such as this one.

Or, stepping back more, how _should_ I dynamically create an entry which olcLimits \
will respect?  I'm quite happy to be told I'm barking up the wrong tree here.  Is \
OpenLDAP simply unable to do this, or is dynlist expansion documented somewhere as \
happening only in restricted circumstances?

Best wishes,

Norman


-- 
Norman Gray  :  https://nxg.me.uk


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic