[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Subtree renames and memberOf handling

To: Michael Ströder <michael@stroeder.com>
Subject: Re: Subtree renames and memberOf handling
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 15 Jan 2008 16:05:40 +1100
Cc: Pierangelo Masarati <ando@sys-net.it>, openldap-technical <openldap-technical@openldap.org>
In-reply-to: <4789EB63.9060301@stroeder.com>
References: <1200021436.1718.21.camel@naomi> <47879E93.3010006@sys-net.it> <4787A07F.3090302@stroeder.com> <4787A1D0.8040909@sys-net.it> <478939EF.6050804@stroeder.com> <47894953.4040100@sys-net.it> <4789EB63.9060301@stroeder.com>

On Sun, 2008-01-13 at 11:43 +0100, Michael StrÃder wrote:
> Pierangelo Masarati wrote:
> > Michael StrÃder wrote:
> >> Pierangelo Masarati wrote:
> >>> Michael StrÃder wrote:
> >>>
> >>>>> Yes, slapo-memberof(5) does not consider the possibility of a subtree
> >>>>> rename, and thus takes no care of it.
> >>>> Would deploying slapo-refint be of help here?
> >>> Could be.  Did you try, by chance?
> >> Hmm, does not work for me. Not sure about current state of HEAD and
> >> order of my overlay config. I also wonder about parameter memberof-refint.
> >> ------------------- snip -------------------
> >> Excerpt of slapd.conf:
> >>
> >> overlay memberof
> >> memberof-refint true
> >>
> >> # Referential integrity checking
> >> overlay refint
> >> refint_attributes member manager owner seeAlso roleOccupant
> >> refint_nothing cn=dummy
> > 
> > Probably you should have also listed "memberOf" among the refint attrs;
> 
> Ouch! It was late yesterday...
> 
> Yes, it works as expected with memberOf also being handled by 
> slapo-refint. But now I really wonder how it scales if there are 
> thousands of members in a group which is renamed.

I can't seem to make it work for me, with the config file as attached.
I'm doing the subtree rename of
CN=ldaptestcontainer,DC=samba,DC=example,DC=com to
CN=ldaptestcontainer2,DC=samba,DC=example,DC=com

But i still see:
# record 55
dn: CN=ldaptestgroup2,CN=Users,DC=samba,DC=example,DC=com
member: cn=ldaptestuser,cn=useRs,dc=samba,dc=example,dc=com
member: cn=ldaptestcomputer,cn=computers,dc=samba,dc=example,dc=com
member: cn=ldaptestuser2,cn=users,dc=samba,dc=example,dc=com
*** member:
cn=ldaptestuser4,cn=ldaptestcontainer,dc=samba,dc=example,dc=com

slapd.conf and memberof.conf are attached.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

overlay refint
refint_attributes member msDS-ObjectReference serverReference hasMasterNCs siteObject msCOM-UserPartitionSetLink bridgeheadTransportList manager msDS-hasMasterNCs msDS-NonMembers managedBy queryPolicyObject nonSecurityMember
overlay memberof
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad member
memberof-memberof-ad memberOf
memberof-dangling-error 32

overlay memberof
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad msDS-ObjectReference
memberof-memberof-ad msDS-ObjectReferenceBL
memberof-dangling-error 32

overlay memberof
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad serverReference
memberof-memberof-ad serverReferenceBL
memberof-dangling-error 32

overlay memberof
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad hasMasterNCs
memberof-memberof-ad masteredBy
memberof-dangling-error 32

overlay memberof
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad siteObject
memberof-memberof-ad siteObjectBL
memberof-dangling-error 32

overlay memberof
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad msCOM-UserPartitionSetLink
memberof-memberof-ad msCOM-UserLink
memberof-dangling-error 32

overlay memberof
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad bridgeheadTransportList
memberof-memberof-ad bridgeheadServerListBL
memberof-dangling-error 32

overlay memberof
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad manager
memberof-memberof-ad directReports
memberof-dangling-error 32

overlay memberof
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad msDS-hasMasterNCs
memberof-memberof-ad msDs-masteredBy
memberof-dangling-error 32

overlay memberof
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad msDS-NonMembers
memberof-memberof-ad msDS-NonMembersBL
memberof-dangling-error 32

overlay memberof
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad managedBy
memberof-memberof-ad managedObjects
memberof-dangling-error 32

overlay memberof
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad queryPolicyObject
memberof-memberof-ad queryPolicyBL
memberof-dangling-error 32

overlay memberof
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad nonSecurityMember
memberof-memberof-ad nonSecurityMemberBL
memberof-dangling-error 32

loglevel 0

include /home/data/samba/git/samba/source/st/dc/private/ldap/backend-schema.schema

pidfile		/home/data/samba/git/samba/source/st/dc/private/ldap/slapd.pid
argsfile	/home/data/samba/git/samba/source/st/dc/private/ldap/slapd.args
sasl-realm samba.example.com
access to * by * write

allow update_anon

authz-regexp
          uid=([^,]*),cn=samba.example.com,cn=digest-md5,cn=auth
          ldap:///DC=samba,DC=example,DC=com??sub?(samAccountName=\$1)

authz-regexp
          uid=([^,]*),cn=([^,]*),cn=digest-md5,cn=auth
          ldap:///DC=samba,DC=example,DC=com??sub?(samAccountName=\$1)

include /home/data/samba/git/samba/source/st/dc/private/ldap/modules.conf

defaultsearchbase DC=samba,DC=example,DC=com

include /home/data/samba/git/samba/source/st/dc/private/ldap/memberof.conf

database        hdb
suffix		CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com
directory	/home/data/samba/git/samba/source/st/dc/private/ldap/db/schema
index           objectClass eq
index           samAccountName eq
index name eq
index objectCategory eq
index lDAPDisplayName eq
index subClassOf eq
index cn eq

database        hdb
suffix		CN=Configuration,DC=samba,DC=example,DC=com
directory	/home/data/samba/git/samba/source/st/dc/private/ldap/db/config
index           objectClass eq
index           samAccountName eq
index name eq
index objectSid eq
index objectCategory eq
index nCName eq
index subClassOf eq
index dnsRoot eq
index nETBIOSName eq
index cn eq

database        hdb
suffix		DC=samba,DC=example,DC=com
rootdn          cn=Manager,DC=samba,DC=example,DC=com
rootpw          localdcpass
directory	/home/data/samba/git/samba/source/st/dc/private/ldap/db/user
index           objectClass eq
index           samAccountName eq
index name eq
index objectSid eq
index objectCategory eq
index member eq
index uidNumber eq
index gidNumber eq
index unixName eq
index privilege eq
index nCName eq
index lDAPDisplayName eq
index subClassOf eq
index dnsRoot eq
index nETBIOSName eq
index cn eq

#syncprov is stable in OpenLDAP 2.3, and available in 2.2.  
#We only need this for the contextCSN attribute anyway....
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

Attachment: signature.asc
Description: This is a digitally signed message part

Follow-Ups:
- Re: Subtree renames and memberOf handling
  - From: Pierangelo Masarati <ando@sys-net.it>

References:
- Subtree renames and memberOf handling
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: Subtree renames and memberOf handling
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: Subtree renames and memberOf handling
  - From: Michael Ströder <michael@stroeder.com>
- Re: Subtree renames and memberOf handling
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: Subtree renames and memberOf handling
  - From: Michael Ströder <michael@stroeder.com>
- Re: Subtree renames and memberOf handling
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: Subtree renames and memberOf handling
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: memberOf hidden?
Next by Date: Re: memberOf hidden?
Index(es):
- Chronological
- Thread