[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapo-dynlist search member=value search?

Hi!

From reading the FAQ entry on dynlist (http://www.openldap.org/faq/data/cache/1209.html) it would seem that dynlist with member DN expansion lets me operate in two directions:

  1. have an attribute dynamically expanded (e.g. for mapping a group
     to its members), e.g. '(cn=somedynamicgroup)' -> { member:
     uid=someuser,ou=People,o=SomeOrg, member:
     uid=otheruser,ou=People,o=SomeOrg }
  2. search for dynamic objects whose dynamic attribute expands to
     given DN (e.g. for location all groups a given user is a member
     of), e.g. '(member=uid=someuser,ou=People,o=SomeOrg)' -> { dn:
     cn=somedynamicgroup,ou=Groups,o=MyOrg, dn:
     cn=somestaticgroup,ou=Groups,o=MyOrg}

To be specific, this fragment in the FAQ describes it:

--- SNIP ---

dynlist-attrset  groupOfURLs memberURL member

it behaves much like the dyngroup overlay; the <attrs> portion of the URI must be absent, and the DN of the entries resulting from the search is added as value of the member attribute defined above.
*For compare operations on the member attribute, all the values of the memberURL attribute of groupOfURLs objects are compared until a match is found; this exploits slapd group caching capabilities.
*--- SNIP ---

Also, the slapo-dynlist manual states:

--- SNIP ---
Compares that assert the value of the <member-ad> attribute of entries with <group-oc> objectClass apply as if the DN of the entries resulting from the expansion of the URI were present in the <group-oc> entry as values of the <member-ad> attribute.
--- SNIP ---

I have the following configuration:

--- fragment of BDB instance config ---
index member  eq,pres

overlay                 dynlist
dynlist-attrset  groupOfURLs memberURL member
--- end fragment of BDB instance config ---

The member expansion works:


ldapsearch -b 'o=MyOrg' -x -D 'cn=Manager,o=MyOrg' -H 'ldap://localhost' -y ~/ldappass 'cn=somedynamicgroup'

....
member: uid=someuser,ou=People,o=SomeOrg
member: uid=otheruser,ou=People,o=SomeOrg
...


But searching for groups a user is a member of doesn't work for dynamic groups:

ldapsearch -b 'o=MyOrg' -x -D 'cn=Manager,o=MyOrg' -H 'ldap://localhost' -y ~/ldappass 'member=uid=someuser,ou=People,o=SomeOrg'

dn: cn=somestaticgroup,ou=Groups,o=SomeOrg
....

As a result no dynamic groups are found, only static ones.

Am I missing something in the configuration?*
*

--
Best Regards,
Aleksander Adamowski
GG#: 274614
ICQ UIN: 19780575 http://olo.org.pl

--
Aleksander Adamowski
Administrator systemów korporacyjnych; Instruktor
Altkom Akademia S.A. http://www.altkom.pl
Warszawa, ul. Chłodna 51
kom. 0-601-318-080

Sąd Rejonowy dla m.st. Warszawy w Warszawie, XII Wydział Gospodarczy Krajowego Rejestru Sądowego,
KRS: 0000120139, NIP 118-00-08-391, Kapitał zakładowy: 1000 000 PLN. Adres rejestrowy Firmy - ul. Stawki 2, 00-193 Warszawa.
Niniejsza wiadomość zawiera informacje zastrzeżone i stanowiące tajemnicę przedsiębiorstwa firmy Altkom Akademia S.A.
Ujawnianie tych informacji osobom trzecim lub nieuprawnione wykorzystanie ich do własnych celów jest zabronione.
Jeżeli otrzymaliście Państwo niniejszą wiadomość omyłkowo, prosimy o niezwłoczne skontaktowanie się z nadawcą oraz usunięcie wszelkich kopii niniejszej wiadomości.
This message contains proprietary information and trade secrets of Altkom Akademia S.A. company.
Unauthorized use or disclosure of this information to any third party is prohibited.
If you received this message by mistake, please contact the sender immediately and delete all copies of this message.