Re: Dynamic list overlay and search filters

[masarati@aero.polimi.it]

> Maybe I¹m just being delusional in thinking that this should work...  I¹m
> running OpenLDAP 2.4.23 on IBM AIX for authentication on a variety of AIX,
> Linux and web applications.
>
> As we need to use both Posixgroup and groupOfNames objects with the same
> membership, the dynamic list overlay seems like an ideal approach.  This
> configuration appeared to work fine for our linux hosts and web
> applications, but not so well for our AIX hosts:
>
> In slapd.conf:
> overlay dynlist
> dynlist-attrset posixGroup labeledURI memberUid:uid
>
> Ldap object:
> dn: cn=testgroup,cn=testgroup,ou=unix,ou=groups,ou=unix,st=or,c=us
> cn: testgroup
> objectClass: top
> objectClass: posixGroup
> objectClass: labeledURIObject
> gidNumber: 1000
> labeledURI:
> ldap:///ou=unix,st=or,c=us?uid?sub?(memberof=cn=testgroup,ou=unix,ou=groups,
> ou=unix,st=or,c=us)
> memberUid: chogensen
> memberUid: jbagley
>
> However, the AIX hosts do a search for ?(memberUid=jbagley)¹ to determine
> group membership and the ldap server does not return the above object.
> I¹m
> guessing that I was wrong in assuming the overlay would handle this type
> of
> application and that I will have to find another way.  Anyone have any
> helpful tips?  Advice?  Condolences if I now have to manage twice as many
> group objects?

Dynamic groups expanded by dynlist cannot be searched by filtering on
dynamic members.  You may want to look at autogroup (in
contrib/slapd-modules/autogroup/), which works according to a totally
different logic.

p.