[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: two issues with dyngroups

To: Guillaume Rousse <Guillaume.Rousse@inria.fr>
Subject: Re: two issues with dyngroups
From: Pierangelo Masarati <ando@sys-net.it>
Date: Thu, 16 Oct 2008 23:01:53 +0200
Cc: openldap-software@openldap.org
In-reply-to: <48F365C7.5080708@inria.fr>
References: <48F365C7.5080708@inria.fr>
User-agent: Thunderbird 2.0.0.17 (X11/20081001)

Guillaume Rousse wrote:

Hello list.
I'm an happy users of dynlist overlay, in order to make my unix users members of their unix primary group:

# admins, groups, msr-inria.inria.fr dn: cn=admins,ou=groups,dc=msr-inria,dc=inria,dc=fr objectClass: groupOfURLs objectClass: posixGroup gidNumber: 5000 memberURL: ldap:///ou=users,dc=msr-inria,dc=inria,dc=fr??sub?(gidNumber=5000) cn: admins
With this configuration:
# dynamic groups
overlay dynlist
dynlist-attrset groupOfURLs memberURL member
However, I'm facing two issues here.
The first is that dynlist overlay only accept a single configuration directive for the whole base, preventing to map differently the request URL depending on the context. In my previous example, I need to map the URL as DN, because I'm dynamically building a group from users. If I wanted to build a group from other group, my URL would have been something as: ldap:///ou=group,dc=msr-inria,dc=inria,dc=fr?member?sub?(cn=users)
and the configuration directive would have been instead
dynlist-attrset groupOfURLs memberURL
It would be nice to handle the overlay differently there.
The second directive is that ACLs seems to ignore this dynamic group:
# admins
access to dn.subtree="dc=msr-inria,dc=inria,dc=fr"
    by group="cn=admins,ou=groups,dc=msr-inria,dc=inria,dc=fr" write
    by * break

Try

access to dn.subtree="dc=msr-inria,dc=inria,dc=fr"
     by group/groupOfURLs/memberURL="cn=admins,ou=groups,dc=msr-inria,dc=inria,dc=fr" write
     by * break

(please excuse any unintended line wrapping).

This worked with a static group, it doesn't work anymore with a dynamic one as I just presented.

I'm using OpenLDAP 2.4.11. Should I open ITS for those issues ?


Issue #2 should be fixed by the above rule.  I suggest you file a
request for enhancement for issue #1, consisting in adding an (optional)
URI to each dynlist-attrset that allows to restrict the application of
the attrset to selected dynamic group entries matching the base, scope
and filter of the URI (if present).

The configuration would become something like

dynlist-attrset <group-oc> <URL-ad>
        [ ldap:///base??scope?filter ]
        [[<mapped-ad>:]<member-ad> ...]

and, in your case, you would need something like

overlay dynlist
dynlist-attrset groupOfURLs memberURL
        ldap:///cn=admins,ou=groups,dc=msr-inria,dc=inria,dc=fr??base
        member
dynlist-attrset groupOfURLs memberURL
        ldap:///cn=users,ou=groups,dc=msr-inria,dc=inria,dc=fr??base

p.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------

Follow-Ups:
- Re: two issues with dyngroups
  - From: Guillaume Rousse <Guillaume.Rousse@inria.fr>

References:
- two issues with dyngroups
  - From: Guillaume Rousse <Guillaume.Rousse@inria.fr>

Prev by Date: Re: Open LDAP 2.3.38 core dump when trying to add netgroup
Next by Date: Re: Newbie question ldap_sasl_interactive_bind_s: Invalid credentials (49)
Index(es):
- Chronological
- Thread