'Re: olcLimits and groupOfURLs dynlist'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openldap-technical
Subject:    Re: olcLimits and groupOfURLs dynlist
From:       Howard Chu <hyc () symas ! com>
Date:       2024-02-08 16:22:38
Message-ID: 984427d3-d4d9-36bc-3b69-532990845ab3 () symas ! com
[Download RAW message or body]

Norman Gray wrote:
> 
> Howard, hello.
> 
> On 8 Feb 2024, at 15:07, Howard Chu wrote:
> 
> > > Norman Gray wrote:
> > > 
> > > Howard, hello.
> > > 
> > > On 8 Feb 2024, at 0:34, Howard Chu wrote:
> > > 
> > > > 65c3df21.21fc2a30 0x16cacf000 \
> > > > ldap_url_parse_ext(ldap:///ou=groups,o=example?member?sub?(|(cn=ldap-admins-*)(cn=ldap-techs)))
> > > >  
> > > > The above URL is not valid for a dynamic group. The attrs portion of the URL \
> > > > must be empty. 
> > > > Since it's invalid, after it is parsed it gets ignored.
> > > 
> > > That's true when constructing what slapo-dynlist(5) calls a dynamic
> > > group, but that's not what I'm constructing here, but instead a group
> > > entry which is dynamically expanded, to a group, by a search.
> > 
> > Whatever you've constructed is not a dynamic group, as defined in slapo-dynlist.
> > As such, it is not supported for the purpose you're asking.
> 
> Indeed -- it's not a 'dynamic group' in the terms of slapo-dynlist, but it is an \
> entry which has a set of 'member' attributes, which is dynamically constructed \
> (whatever one wants to call this). 
> But I can't see that matters, since the slapd-config(5) text covering the olcLimits \
> configuration attribute seems to clearly indicate that 
> olcLimits: group/groupOfURLs/member="cn=ldap-operators,ou=groups,o=example" size=2
> 
> 'sets the limits for any DN listed in the values of the [member] attribute of the \
> [groupOfURLs] group whose DN exactly matches \
> ["cn=ldap-operators,ou=groups,o=example"]' (where [...] fills in the blanks in the \
> text there as I understand it).  I can't see a way of interpreting this manpage \
> text which doesn't match this situation.  This works as expected when \
> cn=ldap-operators is an entry which is not dynamically expanded. 
> It doesn't say that that group has to be a 'dynamic group in the terms of \
> slapo-dynlist', it just says 'group'. 
> And slapo-dynlist says:
> 
> > Any time an entry with a specific objectClass is being returned,
> > the LDAP URI-valued occurrences of a specific attribute are expanded
> > into the corresponding entries, and the values of the attributes listed
> > in the URI are added to the original entry.

The text above is for a *dynamic list* - which is not a *dynamic group*.
The code supports groups, not lists.


-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic