[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: dynlist overlay feature request

To: Howard Chu <hyc@symas.com>
Subject: Re: dynlist overlay feature request
From: "Alexander 'Leo' Bergolth" <leo@strike.wu.ac.at>
Date: Fri, 25 Sep 2009 10:40:10 +0200
Cc: openldap-technical@openldap.org
In-reply-to: <4ABBBDB5.3010302@symas.com>
References: <4ABB5164.5080203@strike.wu.ac.at> <4ABBBDB5.3010302@symas.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.23) Gecko/20090825 Fedora/2.0.0.23-1.fc10 Thunderbird/2.0.0.23 Mnenhy/0.7.5.0

On 09/24/2009 08:43 PM, Howard Chu wrote:
> Alexander 'Leo' Bergolth wrote:
>> Are there any plans to extend the dynlist overlays dynamic group feature
>> to return not the DNs of the matched entries but an attribute of the
>> entries?
> 
> As Andreas already posted, this has been a dynlist feature for a long time.

As explained in my previous mail, this functionality isn't covered yet
for posixGroups memberUid style setups.

>> Could this extension be easily implemented?
> 
>> Is there currently any workaround?
> 
> Use RFC2307bis. posixGroups with memberUid are deprecated.

Even RFC2307bis says "either ... or", AFAIK it doesn't contain any
valuation which one is preferred:

     It is suggested that uid and cn are used as the naming attribute
     for posixAccount and posixGroup entries, respectively. Group
     members may either be login names (values of memberUid) or dis-
     tinguished names (values of uniqueMember).

E.g. samba recommends to use smbldaptools for managing Users and Group,
which cannot handle uniqueMembers.

Anyway, memberUIDs are still used in many large distributed setups that
cannot be easily migrated to uniqueMember style groups without major
modifications to all components involved.

So how do you estimate the complexity of adding this extension to
dynlist-attrset?

> dynlist-attrset <group-oc> <URL-ad> [<member-ad>] [<result-ad>]
> i.e.:
> dynlist-attrset myposixGroup memberURL memberUid uid

>> E.g. a way to dynamically add a memberUid to each posixAccount that
>> contains the same data as the uid attribute? If that works, a filter like
>> ldap:///ou=users,dc=local,dc=site?memberUid?sub?(&(objectClass=posixAccount)(<searchfilter>))
>>
>> ... could work.

Or maybe another workaround could be to first add the user-account DN to
the memberUid attribute using existing dynlist features and then rewrite
it's value by extracting the username out of the DN using another
overlay? Would this be a realistic approach?

Cheers,
--leo
-- 
e-mail   ::: Leo.Bergolth (at) wu.ac.at
fax      ::: +43-1-31336-906050
location ::: IT-Services | Vienna University of Economics | Austria

Follow-Ups:
- Re: dynlist overlay feature request
  - From: Howard Chu <hyc@symas.com>

References:
- dynlist overlay feature request
  - From: "Alexander 'Leo' Bergolth" <leo@strike.wu.ac.at>
- Re: dynlist overlay feature request
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Memberof overlay
Next by Date: Re: dynlist overlay feature request
Index(es):
- Chronological
- Thread