[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openldap-technical
Subject:    Re: olcLimits and groupOfURLs dynlist
From:       Norman Gray <gray () nxg ! name>
Date:       2024-02-12 11:06:39
Message-ID: D9633EEA-80F6-4AC6-9A23-AC21F7B208B5 () nxg ! name
[Download RAW message or body]


Greetings.

A summary, for the archive and for google....

The missing piece, from my point of view, is that it looks like the group selector, \
for the olcLimits option (which is what I started off looking at; and see \
slapd-config(5)) has similar semantics to that for the corresponding olcAccess \
option, more fully documented in slapd.access(5).

In the documentation of the <who> field there, we learn that 'The statement \
group=<group> means that access is granted to requests whose DN is listed in the \
group entry whose DN is given by <group>.'  But despite slapo-dynlist saying 'Any \
time an entry with a specific objectClass is being returned...', this does _not_ \
apply here, since the next paragraph of slapd.access says 'For dynamic groups the \
attributeType must be a subtype of the labeledURI attributeType. Only LDAP URIs of \
the form ldap:///<base>??<scope>?<filter> will be evaluated in a dynamic group, by \
searching the local server only.'  That is, the olcAccess group processing is, in \
effect, restricted to the three-argument version of the attrset option of \
slapo-dynlist -- that's what I had missed.

Presuming the olcLimits option has the same restriction, then the effect I was \
initially aiming to achieve -- setting a limit for members of a particular group \
which is dynamically populated -- is not possible for me by this route.

The groups I'm aiming to set limits and access for are most naturally defined from \
the union of other groups.  Such groups are easy to define via the two-argument \
dynlist-attrset value (which uses ldap:///<base>?member?sub?<filter>), but not, as \
far as I can see, via the three-argument one.  I can probably instead synthesise the \
groups I want, dynamically, by introducing a memberOf attribute attached to the \
groups' members, but I worry that has the potential to get a little messy in \
practice; I notice group.expand, which might help.

I notice that the documentation of olcAccess doesn't actually mention the dynlist \
overlay, and thus may be entirely independent of it.  Something for me to \
investigate.

Best wishes,

Norman


-- 
Norman Gray  :  https://nxg.me.uk


[prev in list] [next in list] [prev in thread] [next in thread]