[Date Prev][Date Next] [Chronological] [Thread] [Top]

Dynamic Group overlay with ldapsearch for uniquemember oddity

To: openldap-software@OpenLDAP.org
Subject: Dynamic Group overlay with ldapsearch for uniquemember oddity
From: Michael.Heep@o2.com
Date: Thu, 9 Mar 2006 16:27:06 +0100

Hi list,

I'm trying to use the dyngroup overlay for dynamic group memberships, 
therefor I got the following slapd.conf settings:
# Dynlist overlay to dynamically add members to groups through memberURLs  
 
overlay dynlist
dynlist-attrset         extensibleObject memberURL uniqueMember

Then I have the following person and group entries in my directory:
dn: uid=root,ou=Tomcat_Users,dc=o2online,dc=de
userPassword: <xxx>
description: Tomcat Manager User
sn: root
cn: root
uid: root
objectClass: person
objectClass: uidObject
objectClass: top

dn: cn=manager,ou=Tomcat_Roles,dc=o2online,dc=de
uniqueMember: cn=avoids,dc=schemaviolation
uniqueMember: uid=root,ou=Tomcat_Users,dc=o2online,dc=de
cn: manager
objectClass: groupOfUniqueNames
objectClass: extensibleObject
objectClass: top
memberURL: ldap:///ou=Tomcat_Users,dc=o2online,dc=de??one?(uid=root)

dn: cn=admin,ou=Tomcat_Roles,dc=o2online,dc=de
cn: admin
objectClass: groupOfUniqueNames
objectClass: top
uniqueMember: uid=root,ou=Tomcat_Users,dc=o2online,dc=de

As you can see the admin and manager groups have both the uid=root user as 
a uniqueMember, once statically, once dynamically.

Issueing the following ldapsearch I'd expect it to both group entries:
ldapsearch -b "ou=Tomcat_Roles,dc=o2online,dc=de" -D "<rootdn>" -H 
ldap://<ip> -WxZZLLL 
"(uniqueMember=uid=root,ou=tomcat_users,dc=o2online,dc=de)"
Enter LDAP Password: 
dn: cn=admin,ou=Tomcat_Roles,dc=o2online,dc=de
cn: admin
objectClass: groupOfUniqueNames
objectClass: top
uniqueMember: uid=root,ou=Tomcat_Users,dc=o2online,dc=de

As you can see it only returns the admin group where the member was set 
statically. It's clearly no ACL issue since i used the rootdn to bind.
I don't think this behavior is entirely correct, because whith an 
ldapcompare for uniquemember: uid=root... works perfectly fine.
Regretably Tomcat issues searches in the form of the above ldapsearch 
command instead of ldapcompare and I'd love to use authentication there 
with dynamic groups to minimize administration time.

Any suggestions?

Thanks and kind regards,
Michael Heep

Prev by Date: problems configuring sync replication
Next by Date: Globally instantiated Chaining Overlay makes subschemaSubentry Attribute vanish from ldapsearches
Index(es):
- Chronological
- Thread