Re: Subtree renames and memberOf handling

[Pierangelo Masarati <ando@sys-net.it>]

Andrew Bartlett wrote:
> On Fri, 2008-01-11 at 17:51 +0100, Pierangelo Masarati wrote:
>> Andrew Bartlett wrote:
>>> I perhaps should have flagged this earlier, but I wanted to actually
>>> have the test to prove it.
>> [snip]
>>
>>> The 'member' attribute on the group is wrong, most likely because such a
>>> subtree rename would never cause the memberOf module to fire and notice
>>> that this needs updating.
>> Yes, slapo-memberof(5) does not consider the possibility of a subtree
>> rename, and thus takes no care of it.  I believe at the time it was
>> implemented, this was not possible (in back-hdb), or not feasible (given
>> the impossibility to search portions of a DN-valued attribute):
>> slapo-memberof(5) was added to OpenLDAP sources August 2007, but
>> initially implemented for OpenLDAP 2.2.
>>
>> I think this change should be relatively easy right now, as a DN-valued
>> can be searched with the dnSubtreeMatch rule to detect whether any
>> member/memberOf values need to be modified.
>>
>> Please submit an ITS...
> 
> 
> I've tried to, but I just get:
> 
> OpenLDAP
> The system encountered a fatal error
> 
> After command: MAIL FROM: <abartlet@samba.org>
> 
> Received: 451 4.1.8 Domain of sender address abartlet@samba.org does not resolve

Aside from that problem, it appears that by stacking slapo-memberof and
slapo-refint you should get the desired effect.  I think this needs
quite a bit of testing, in case of unexpected cross-effects.

p.




Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------