[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#8613) slapo-memberOf documentation update (Unsafe to use with replication)
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#8613) slapo-memberOf documentation update (Unsafe to use with replication)
- From: quanah@symas.com
- Date: Thu, 09 Mar 2017 20:53:06 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
--On Thursday, March 09, 2017 12:54 AM +0000 quanah@openldap.org wrote:
> It is possible to set up slapo-dynlist to operate as a replacement for
> slapo-memberOf, and it is safe in a replicated environment. The tricky
> part of using slapo-dynlist is that membership information must be
> maintained by updating user objects rather than by updating group
> objects, which may be difficult for end users depending on how they
> perform group management.
It's also possible to do this in the reverse direction. I.e., normal
static groups that will populate memberOf in the user entry. To do this,
you have to hack the dyngroup schema, changing groupOfURLs from STRUCTURAL
to AUXILIARY.
In the slapd config, the dynlist config looks like:
dynlist-attrset groupOfUrls memberURL memberOf
Then we can create some groups:
root@u16test:/opt/symas/etc/openldap# /opt/symas/bin/ldapsearch -x -LLL -H
ldap:/// -D dc=example,dc=com -w secret -b dc=example,dc=com "cn=testgroup"
dn: cn=testgroup,ou=Group,dc=example,dc=com
objectClass: groupOfNames
cn: testgroup
member: cn=Marice McCaugherty,ou=Product Testing,dc=example,dc=com
root@u16test:/opt/symas/etc/openldap# /opt/symas/bin/ldapsearch -x -LLL -H
ldap:/// -D dc=example,dc=com -w secret -b dc=example,dc=com
"cn=alttestgroup"
dn: cn=alttestgroup,ou=Group,dc=example,dc=com
objectClass: groupOfNames
cn: alttestgroup
member: cn=Marice McCaugherty,ou=Product Testing,dc=example,dc=com
The user entry looks like:
root@u16test:/opt/symas/etc/openldap# /opt/symas/bin/ldapsearch -x -LLL -H
ldap:/// -D dc=example,dc=com -w secret -b dc=example,dc=com "cn=Marice
McCaugherty" objectClass memberOf memberURL
dn: cn=Marice McCaugherty,ou=Product Testing,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: groupOfURLs
memberURL: ldap:///dc=example,dc=com??sub?(member=cn=Marice
McCaugherty,ou=Pro
duct Testing,dc=example,dc=com)
memberOf: cn=testgroup,ou=Group,dc=example,dc=com
memberOf: cn=alttestgroup,ou=Group,dc=example,dc=com
Doing it this way means that people currently using memberOf wouldn't need
to change how group management is done.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>