Norman Gray wrote: > > Howard, hello. > > On 8 Feb 2024, at 15:07, Howard Chu wrote: > >>> Norman Gray wrote: >>> >>> Howard, hello. >>> >>> On 8 Feb 2024, at 0:34, Howard Chu wrote: >>> >>>> 65c3df21.21fc2a30 0x16cacf000 ldap_url_parse_ext(ldap:///ou=groups,o=example?member?sub?(|(cn=ldap-admins-*)(cn=ldap-techs))) >>>> >>>> The above URL is not valid for a dynamic group. The attrs portion of the URL must be empty. >>>> >>>> Since it's invalid, after it is parsed it gets ignored. >>> >>> That's true when constructing what slapo-dynlist(5) calls a dynamic >>> group, but that's not what I'm constructing here, but instead a group >>> entry which is dynamically expanded, to a group, by a search. >> >> Whatever you've constructed is not a dynamic group, as defined in slapo-dynlist. >> As such, it is not supported for the purpose you're asking. > > Indeed -- it's not a 'dynamic group' in the terms of slapo-dynlist, but it is an entry which has a set of 'member' attributes, which is dynamically constructed (whatever one wants to call this). > > But I can't see that matters, since the slapd-config(5) text covering the olcLimits configuration attribute seems to clearly indicate that > > olcLimits: group/groupOfURLs/member="cn=ldap-operators,ou=groups,o=example" size=2 > > 'sets the limits for any DN listed in the values of the [member] attribute of the [groupOfURLs] group whose DN exactly matches ["cn=ldap-operators,ou=groups,o=example"]' (where [...] fills in the blanks in the text there as I understand it). I can't see a way of interpreting this manpage text which doesn't match this situation. This works as expected when cn=ldap-operators is an entry which is not dynamically expanded. > > It doesn't say that that group has to be a 'dynamic group in the terms of slapo-dynlist', it just says 'group'. > > And slapo-dynlist says: > >> Any time an entry with a specific objectClass is being returned, >> the LDAP URI-valued occurrences of a specific attribute are expanded >> into the corresponding entries, and the values of the attributes listed >> in the URI are added to the original entry. The text above is for a *dynamic list* - which is not a *dynamic group*. The code supports groups, not lists. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/