Re: Debugging a module

[Howard Chu <hyc@symas.com>]

Ryan Steele wrote:
> Hey Andreas,
>
> Andreas Hasenack wrote:
> > On Wed, Sep 16, 2009 at 17:42, Ryan Steele<ryans@aweber.com>  wrote:
> > > query returns nothing:
> > >
> > > ldapsearch -x -w SECRET -D "cn=admin,dc=example,dc=com" -b "cn=testgroup,ou=Groups,dc=example,dc=com" -LLL '(uid=user1)'
> >
> >
> > This filter doesn't look right. Try
> > "(member=uid=user1,ou=Users,dc=example,dc=com)"
> >
> > > ldapsearch -x -w SECRET -D "cn=admin,dc=example,dc=com" -b "cn=testgroup ou=Groups,dc=example,dc=com" -LLL
> > > dn: cn=testgroup,ou=Groups,dc=example,dc=com
> > > ou: Groups
> > > cn: testgroup
> > > objectClass: groupOfURLs
> > > memberURL: ldap:///ou=Users,dc=example,dc=com?uid?sub?(&(employeeType=Developer
> > >   )(objectClass=exampleEmployee))
> > > member: uid=user1,ou=Users,dc=example,dc=com
> > > member: uid=user2,ou=Users,dc=example,dc=com
> > > member: uid=user3,ou=Users,dc=example,dc=com

> Thanks for the advice - I think you're right about filtering on the
> 'member'
attribute. However, doing so still returns
> the entire list, not the individual member I'm filtering for.

That is the way LDAP search filters work, as Quanah explained in his followup. 
And yes, this comment deserves an RTFM response.

Note that there is a ValuesReturnFilter control (RFC3876) which can be used to 
only return specific values in a result.

> I'm not quite sure how to explain this behavior, given the implications
> made  in the following two posts which indicate
> that I should be able to use dynamically generated attributes as filter
expressions:

The posts you reference make no such implication.

> http://www.openldap.org/lists/openldap-software/200802/msg00211.html

States quite clearly "the dynamic members are not present in the entry during 
search, when the filter is evaluated. You can only filter for static data."

Or again, for clarity: You cannot use dynamically generated attributes as 
filter expressions.

The suggestion to use the autogroup overlay is precisely because autogroup 
does not use dynamically generated attributes, and therefore doesn't run into 
this constraint.

> http://www.openldap.org/lists/openldap-software/200812/msg00038.html

> Also, in the earlier ITS filed for the autogroup contrib overlay, it
> states  that for searches and compares, it should
> behave like a static group, bolstering that supposition:

> http://www.openldap.org/lists/openldap-bugs/200709/msg00128.html

How does "behaves like a static group" in any way support the notion that 
*dynamic* content is supported?

> So, should I be searching for a bug (which was the premise for the OP), or
> has the behavior of autogroup changed since  its inception?
> As always, many thanks for any and all advice!

You should be re-checking the enormous logical leaps you have made based on 
the material you have read. Another reason questions go un-answered is because 
the person asking them has already demonstrated such poor reading 
comprehension that the time spent writing an answer would be wasted; the 
answer will obviously be misunderstood.

"static" and "dynamic" are clearly antonyms in this context but you have 
conflated the two together and are asking why you aren't seeing the behavior 
you expect. Since we can only communicate in English on this list, if you 
don't even understand this basic semantic in English then you're beyond our 
ability to help.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/