[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#6970) OpenLDAP 2.4.25 MemberOf + AutoGroup user has stale "memberof" attributes for target group after removal from trigger group
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#6970) OpenLDAP 2.4.25 MemberOf + AutoGroup user has stale "memberof" attributes for target group after removal from trigger group
- From: hyc@symas.com
- Date: Mon, 21 Jul 2014 19:13:37 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
ryan@nardis.ca wrote:
> As I understand it, Gerry's use case is: we have some groups, we want
> an autogroup containing the union of their members, and we want
> memberOf to accurately reflect both the manual and automatic group
> memberships. I think that's a reasonable thing to want; especially
> since the memberOf part is impossible with dynlist.
>
> Config for these tests: dyngroup schema with groupOfURLs modified to
> allow 'member' as per autogroup README, plus:
>
> dn: olcOverlay={1}memberof,olcDatabase={1}mdb,cn=config
> objectClass: olcMemberOf
> olcMemberOfGroupOC: groupOfURLs
>
> dn: olcOverlay={2}autogroup,olcDatabase={1}mdb,cn=config
> objectClass: olcAutomaticGroups
> olcAGattrSet: groupOfURLs memberURL member
>
> On Wed, Jun 4, 2014 at 12:24 PM, Ryan Tandy <ryan@nardis.ca> wrote:
>> Adding a new entry that triggers an autogroup member to be added: I
>> don't get a crash or deadlock, but the new entry doesn't have a
>> memberOf attribute. It looks like the internal Modify adding the
>> member happens before the Add completes, so memberof tries to add
>> memberOf to an entry that doesn't exist yet.
>
> slapadd:
>
> dn: cn=autogroup,dc=example,dc=com
> objectClass: groupOfURLs
> memberURL: ldap:///dc=example,dc=com??one?(objectClass=account)
>
> and then ldapadd:
>
> dn: uid=user,dc=example,dc=com
> objectClass: account
> uid: user
>
> The new entry doesn't gain a memberOf attr as expected.
Fixed in git master.
>> Changing autogroup to trigger on an alteration to an existing entry,
>> for example addition of a specific attribute or auxiliary objectClass:
>> with mdb this works and the memberOf attribute is added; with hdb I
>> get the same deadlock Landry Breuil already reported. Looks like a
>> recursive deadlock on the same thread.
>
> slapadd:
>
> dn: cn=autogroup,dc=example,dc=com
> objectClass: groupOfURLs
> memberURL: ldap:///dc=example,dc=com??one?(objectClass=extensibleObject)
>
> dn: uid=user,dc=example,dc=com
> objectClass: account
>
> and then ldapmodify:
>
> dn: uid=user,dc=example,dc=com
> add: objectClass
> objectClass: extensibleObject
>
> under mdb, works as expected.
> under hdb, deadlock.
Fixed in git master.
>> I think those problems are both different from the one this ITS is
>> about, though. Maybe they should be filed separately.
>>
>> I also confirmed the problem originally reported on current git master
>
> I came up with two ways to do this. I don't know which one Gerry used.
>
> You can use the same config as above and have autogroup expand attr
> values. The initial LDIF is:
>
> dn: cn=autogroup,dc=example,dc=com
> objectClass: groupOfURLs
> memberURL: ldap:///cn=staticgroup,dc=example,dc=com?member?base?(objectClass=*)
>
> dn: cn=staticgroup,dc=example,dc=com
> objectClass: groupOfNames
> member: cn=dummy
>
> dn: uid=user,dc=example,dc=com
> objectClass: account
>
> (You can't re-use groupOfURLs for the static group because autogroup
> blocks manual changes to its members.)
>
> Then ldapmodify:
>
> dn: cn=staticgroup,dc=example,dc=com
> add: member
> member: uid=user,dc=example,dc=com
>
> dn: cn=staticgroup,dc=example,dc=com
> delete: member
> member: uid=user,dc=example,dc=com
Fixed in git master.
>
> Alternatively you can make autogroup search by memberOf. For that you need
>
> olcMemberOfGroupOC: groupOfNames
>
> (instead of GroupOfURLs). Then you do the same slapadd and ldapmodify,
> except with
>
> memberURL: ldap:///dc=example,dc=com??one?(memberOf=cn=staticgroup,dc=example,dc=com)
Fixed in git master.
>
> AFAICT both approaches work (personally I prefer the first...), but
> memberOf is only applied to a single OC. If you want it for both, you
> might try the same thing with a second memberof instance, like this:
>
> dn: olcOverlay={1}memberof,olcDatabase={1}mdb,cn=config
> objectClass: olcMemberOf
> olcMemberOfGroupOC: groupOfURLs
>
> dn: olcOverlay={2}memberof,olcDatabase={1}mdb,cn=config
> objectClass: olcMemberOf
> olcMemberOfGroupOC: groupOfNames
>
> dn: olcOverlay={3}autogroup,olcDatabase={1}mdb,cn=config
> objectClass: olcAutomaticGroups
> olcAGattrSet: groupOfURLs memberURL member
Not tested.
> Then you get the problem Gerry reported: memberOf is added twice but
> only deleted once, the second value remains. Same result for both
> memberURL configurations.
>
> Minor nitpicks: if you give autogroup's olcAGattrSet exactly two
> arguments, slapadd crashes in ag_cfgen (autogroup.c:1761);
Fixed in git master.
> and if you
> omit the filter from memberURL, i.e.
>
> memberURL: ldap:///cn=staticgroup,dc=example,dc=com?member?base?
>
> then slapd crashes in autogroup_modify_entry (autogroup.c:1381) while
> refreshing memberships. Ideally those would return an error instead of
> segfaulting.
Fixed in git master - the offending autogroup URLs are ignored.
>
> I'm also wondering, should autogroup/README perhaps recommend
> groupOfNames and labeledURI instead of groupOfURLs and member?
>
> hope this helps,
> Ryan
>
>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/