[Date Prev][Date Next] [Chronological] [Thread] [Top]

two issues with dyngroups

Hello list.

I'm an happy users of dynlist overlay, in order to make my unix users members of their unix primary group:

# admins, groups, msr-inria.inria.fr
dn: cn=admins,ou=groups,dc=msr-inria,dc=inria,dc=fr
objectClass: groupOfURLs
objectClass: posixGroup
gidNumber: 5000
memberURL: ldap:///ou=users,dc=msr-inria,dc=inria,dc=fr??sub?(gidNumber=5000)
cn: admins

With this configuration:
# dynamic groups
overlay dynlist
dynlist-attrset groupOfURLs memberURL member

However, I'm facing two issues here.

The first is that dynlist overlay only accept a single configuration directive for the whole base, preventing to map differently the request URL depending on the context. In my previous example, I need to map the URL as DN, because I'm dynamically building a group from users. If I wanted to build a group from other group, my URL would have been something as:

and the configuration directive would have been instead
dynlist-attrset groupOfURLs memberURL

It would be nice to handle the overlay differently there.

The second directive is that ACLs seems to ignore this dynamic group:
# admins
access to dn.subtree="dc=msr-inria,dc=inria,dc=fr"
    by group="cn=admins,ou=groups,dc=msr-inria,dc=inria,dc=fr" write
    by * break

This worked with a static group, it doesn't work anymore with a dynamic one as I just presented.

I'm using OpenLDAP 2.4.11. Should I open ITS for those issues ?
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62