[prev in list] [next in list] [prev in thread] [next in thread]
List: openldap-technical
Subject: Re: olcLimits and groupOfURLs dynlist
From: Norman Gray <gray () nxg ! name>
Date: 2024-02-12 11:06:39
Message-ID: D9633EEA-80F6-4AC6-9A23-AC21F7B208B5 () nxg ! name
[Download RAW message or body]
Greetings.
A summary, for the archive and for google....
The missing piece, from my point of view, is that it looks like the group selector, \
for the olcLimits option (which is what I started off looking at; and see \
slapd-config(5)) has similar semantics to that for the corresponding olcAccess \
option, more fully documented in slapd.access(5).
In the documentation of the <who> field there, we learn that 'The statement \
group=<group> means that access is granted to requests whose DN is listed in the \
group entry whose DN is given by <group>.' But despite slapo-dynlist saying 'Any \
time an entry with a specific objectClass is being returned...', this does _not_ \
apply here, since the next paragraph of slapd.access says 'For dynamic groups the \
attributeType must be a subtype of the labeledURI attributeType. Only LDAP URIs of \
the form ldap:///<base>??<scope>?<filter> will be evaluated in a dynamic group, by \
searching the local server only.' That is, the olcAccess group processing is, in \
effect, restricted to the three-argument version of the attrset option of \
slapo-dynlist -- that's what I had missed.
Presuming the olcLimits option has the same restriction, then the effect I was \
initially aiming to achieve -- setting a limit for members of a particular group \
which is dynamically populated -- is not possible for me by this route.
The groups I'm aiming to set limits and access for are most naturally defined from \
the union of other groups. Such groups are easy to define via the two-argument \
dynlist-attrset value (which uses ldap:///<base>?member?sub?<filter>), but not, as \
far as I can see, via the three-argument one. I can probably instead synthesise the \
groups I want, dynamically, by introducing a memberOf attribute attached to the \
groups' members, but I worry that has the potential to get a little messy in \
practice; I notice group.expand, which might help.
I notice that the documentation of olcAccess doesn't actually mention the dynlist \
overlay, and thus may be entirely independent of it. Something for me to \
investigate.
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic