[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Alias dereferencing



Ryan Steele wrote:
I'm trying to implement some aliases for several groups in my directory to provide a bit of aesthetics for a few
applications that leverage the OpenLDAP users and groups.  However, I seem to be running in to a little trouble, perhaps
because I'm expecting alias dereferencing to do something it wasn't really designed to do.  For reference, this is
2.4.21, but I was able to test on a 2.4.23 database with the same results.  I'm using the autogroup module as well for
some pseudo-static dynamic groups.  Consider the following basic DIT and abbreviated set of entries (abbreviated entries
denoted by '...'):

Your problem has nothing to do with alias dereferencing.

dn: cn=sysadmins,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: groupOfURLs
objectClass: posixGroup
memberURL: ldap:///ou=Users,dc=example,dc=com?dn?sub?(&(objectClass=examplecomEmployee)(departmentName=sysadmins))
member: uid=john,ou=Users,dc=example,dc=com
member: uid=jane,ou=Users,dc=example,dc=com
member: uid=joe,ou=Users,dc=example,dc=com
...

dn: cn=Systems Administrators,ou=Groups,dc=example,dc=com
ou: Groups
cn: Systems Admins
objectClass: alias
objectClass: extensibleObject
aliasedObjectName: cn=sysadmins,ou=Groups,dc=example,dc=com

When I initiate an ldapsearch and choose not to dereference, I see what I expect:

joe@ldap1:~# ldapsearch -x -ZZ -LLL -a never -b dc=example,dc=com cn=Systems\ Administrators
dn: cn=Systems Administrators,ou=Groups,dc=example,dc=com
ou: Groups
objectClass: alias
objectClass: extensibleObject
aliasedObjectName: cn=sysadmins,ou=Groups,dc=example,dc=com
cn: Systems Administrators


However, when I do choose to dereference, nothing is returned:

joe@ldap1:~# ldapsearch -x -ZZ -LLL -a find -b dc=example,dc=com cn=Systems\ Administrators
joe@ldap1:~#

joe@ldap1:~# ldapsearch -x -ZZ -LLL -a always -b dc=example,dc=com cn=Systems\ Administrators
joe@ldap1:~#

Clearly the result you got is correct.

I can only obtain the expected results if I set the search base to the *specific* entry I'm looking to dereference:

joe@ldap1:~# ldapsearch -x -ZZ -LLL -a always -b cn=Systems\ Administrators,ou=Groups,dc=example,dc=com
dn: cn=sysadmins,ou=Groups,dc=example,dc=com
ou: Groups
gidNumber: 4001
cn: sysadmins
objectClass: groupOfURLs
objectClass: top
objectClass: posixGroup
description: The sysadmin team members
memberURL: ldap:///ou=Users,dc=example,dc=com?dn?sub?(&(objectClass=examplecomE
  mployee)(departmentName=sysadmins))
member: uid=john,ou=Users,dc=example,dc=com
member: uid=jane,ou=Users,dc=example,dc=com
member: uid=joe,ou=Users,dc=example,dc=com


I find it hard to believe that setting the search base to the alias entry is the only way which one may reference the
alias entry

And that is clearly not the case, in fact.

Your last search is not equivalent to your previous searches, because the last time you omitted the **SEARCH FILTER**.

Think about it.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/