[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4989) Quirk in Dynlist overlay configuration

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#4989) Quirk in Dynlist overlay configuration
From: ando@sys-net.it
Date: Sat, 2 Jun 2007 09:34:01 GMT

marg@rz.tu-clausthal.de wrote:

> I found a behaviour issue with the dynlist overlay configuration:
> 
> I tried the following configuration:
> 
> overlay dynlist
> dynlist-attrset posixGroup memberURL
> dynlist-attrset groupOfURLs memberURL owner

The reason of that check is that the same attribute "memberURL" could
otherwise be used by both group classes to expand.

> 
> but slaptest complains about it - and the slapd doesn't start with it:
> 
> @(#) $OpenLDAP: slapd 2.3.34[...]
> /usr/local/etc/openldap/slapd.conf: line 91: "dynlist-attrset <oc>
> <URL-ad> [<member-ad>]": URL attributeDescription "memberURL" already
> mapped.
> slapd stopped.
> 
> When I use multiple "overlay dynlist"-entries like:
> 
> overlay dynlist
> dynlist-attrset posixGroup memberURL
> overlay dynlist
> dynlist-attrset groupOfURLs memberURL owner
> 
> it works as expected, but there is a warning:
> 
> overlay_config(): warning, overlay "dynlist" already in list
> 
> PS: Although the new Version 2.3.35 isn't available via FreeBSD Ports
> yet, I don't think that it would change anything, because the source
> file of the dynlist-overlay doesn't seem to have changed in any part
> that matters to this issue.

I think the documentation describes the intended behavior, but
configuration parsing is not (no longer?) in agreement with the
documentation.  I think the real issue is that the behavior is no longer
consistent for compares and searches:
- for searches, only the first group that matches the entry's
objectClass will be expanded
- for compares, all groups that match will be expanded until a match is
found

I'm reworking the configuration test to be consistent with the
documentation, and the code to be self-consistent: now all groups
matching the entry are expanded.  So now a configuration like

dynlist-attrset groupOfURLs memberURL
dynlist-attrset groupOfURLs memberURL member

will simultaneously merge all attributes listed in a "memberURL", and
add the expanded entries' DN as "member".

However, I believe something like

dynlist-attrset posixGroup memberURL
dynlist-attrset groupOfURLs memberURL

should still be forbiden, otherwise the same "memberURL" would expand
twice.  This, strictly speaking, is not an issue, as duplicates would
simply be discarded, but it would cause unnecessary overhead.  Right
now, I have decided to turn this check into a config-time warning.

Please test and report.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------

Prev by Date: Re: (ITS#4994) Clarify -y option in man pages
Next by Date: Re: (ITS#4951) [contrib] RADIUS password module fixes
Index(es):
- Chronological
- Thread