[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#6970) OpenLDAP 2.4.25 MemberOf + AutoGroup user has stale "memberof" attributes for target group after removal from trigger group
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#6970) OpenLDAP 2.4.25 MemberOf + AutoGroup user has stale "memberof" attributes for target group after removal from trigger group
- From: ryan@nardis.ca
- Date: Sat, 19 Jul 2014 04:27:31 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
As I understand it, Gerry's use case is: we have some groups, we want
an autogroup containing the union of their members, and we want
memberOf to accurately reflect both the manual and automatic group
memberships. I think that's a reasonable thing to want; especially
since the memberOf part is impossible with dynlist.
Config for these tests: dyngroup schema with groupOfURLs modified to
allow 'member' as per autogroup README, plus:
dn: olcOverlay={1}memberof,olcDatabase={1}mdb,cn=config
objectClass: olcMemberOf
olcMemberOfGroupOC: groupOfURLs
dn: olcOverlay={2}autogroup,olcDatabase={1}mdb,cn=config
objectClass: olcAutomaticGroups
olcAGattrSet: groupOfURLs memberURL member
On Wed, Jun 4, 2014 at 12:24 PM, Ryan Tandy <ryan@nardis.ca> wrote:
> Adding a new entry that triggers an autogroup member to be added: I
> don't get a crash or deadlock, but the new entry doesn't have a
> memberOf attribute. It looks like the internal Modify adding the
> member happens before the Add completes, so memberof tries to add
> memberOf to an entry that doesn't exist yet.
slapadd:
dn: cn=autogroup,dc=example,dc=com
objectClass: groupOfURLs
memberURL: ldap:///dc=example,dc=com??one?(objectClass=account)
and then ldapadd:
dn: uid=user,dc=example,dc=com
objectClass: account
uid: user
The new entry doesn't gain a memberOf attr as expected.
> Changing autogroup to trigger on an alteration to an existing entry,
> for example addition of a specific attribute or auxiliary objectClass:
> with mdb this works and the memberOf attribute is added; with hdb I
> get the same deadlock Landry Breuil already reported. Looks like a
> recursive deadlock on the same thread.
slapadd:
dn: cn=autogroup,dc=example,dc=com
objectClass: groupOfURLs
memberURL: ldap:///dc=example,dc=com??one?(objectClass=extensibleObject)
dn: uid=user,dc=example,dc=com
objectClass: account
and then ldapmodify:
dn: uid=user,dc=example,dc=com
add: objectClass
objectClass: extensibleObject
under mdb, works as expected.
under hdb, deadlock.
> I think those problems are both different from the one this ITS is
> about, though. Maybe they should be filed separately.
>
> I also confirmed the problem originally reported on current git master
I came up with two ways to do this. I don't know which one Gerry used.
You can use the same config as above and have autogroup expand attr
values. The initial LDIF is:
dn: cn=autogroup,dc=example,dc=com
objectClass: groupOfURLs
memberURL: ldap:///cn=staticgroup,dc=example,dc=com?member?base?(objectClass=*)
dn: cn=staticgroup,dc=example,dc=com
objectClass: groupOfNames
member: cn=dummy
dn: uid=user,dc=example,dc=com
objectClass: account
(You can't re-use groupOfURLs for the static group because autogroup
blocks manual changes to its members.)
Then ldapmodify:
dn: cn=staticgroup,dc=example,dc=com
add: member
member: uid=user,dc=example,dc=com
dn: cn=staticgroup,dc=example,dc=com
delete: member
member: uid=user,dc=example,dc=com
Alternatively you can make autogroup search by memberOf. For that you need
olcMemberOfGroupOC: groupOfNames
(instead of GroupOfURLs). Then you do the same slapadd and ldapmodify,
except with
memberURL: ldap:///dc=example,dc=com??one?(memberOf=cn=staticgroup,dc=example,dc=com)
AFAICT both approaches work (personally I prefer the first...), but
memberOf is only applied to a single OC. If you want it for both, you
might try the same thing with a second memberof instance, like this:
dn: olcOverlay={1}memberof,olcDatabase={1}mdb,cn=config
objectClass: olcMemberOf
olcMemberOfGroupOC: groupOfURLs
dn: olcOverlay={2}memberof,olcDatabase={1}mdb,cn=config
objectClass: olcMemberOf
olcMemberOfGroupOC: groupOfNames
dn: olcOverlay={3}autogroup,olcDatabase={1}mdb,cn=config
objectClass: olcAutomaticGroups
olcAGattrSet: groupOfURLs memberURL member
Then you get the problem Gerry reported: memberOf is added twice but
only deleted once, the second value remains. Same result for both
memberURL configurations.
Minor nitpicks: if you give autogroup's olcAGattrSet exactly two
arguments, slapadd crashes in ag_cfgen (autogroup.c:1761); and if you
omit the filter from memberURL, i.e.
memberURL: ldap:///cn=staticgroup,dc=example,dc=com?member?base?
then slapd crashes in autogroup_modify_entry (autogroup.c:1381) while
refreshing memberships. Ideally those would return an error instead of
segfaulting.
I'm also wondering, should autogroup/README perhaps recommend
groupOfNames and labeledURI instead of groupOfURLs and member?
hope this helps,
Ryan