[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Alias dereferencing
I'm trying to implement some aliases for several groups in my directory to provide a bit of aesthetics for a few
applications that leverage the OpenLDAP users and groups. However, I seem to be running in to a little trouble, perhaps
because I'm expecting alias dereferencing to do something it wasn't really designed to do. For reference, this is
2.4.21, but I was able to test on a 2.4.23 database with the same results. I'm using the autogroup module as well for
some pseudo-static dynamic groups. Consider the following basic DIT and abbreviated set of entries (abbreviated entries
denoted by '...'):
dn: dc=example,dc=com
dn: ou=Users,dc=example,dc=com
dn: ou=Groups,dc=example,dc=com
dn: uid=john,ou=Users,dc=example,dc=com
objectClass: examplecomEmployee
departmentName: sysadmins
...
dn: uid=jane,ou=Users,dc=example,dc=com
objectClass: examplecomEmployee
departmentName: sysadmins
...
dn: uid=joe,ou=Users,dc=example,dc=com
objectClass: examplecomEmployee
departmentName: sysadmins
...
dn: cn=sysadmins,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: groupOfURLs
objectClass: posixGroup
memberURL: ldap:///ou=Users,dc=example,dc=com?dn?sub?(&(objectClass=examplecomEmployee)(departmentName=sysadmins))
member: uid=john,ou=Users,dc=example,dc=com
member: uid=jane,ou=Users,dc=example,dc=com
member: uid=joe,ou=Users,dc=example,dc=com
...
dn: cn=Systems Administrators,ou=Groups,dc=example,dc=com
ou: Groups
cn: Systems Admins
objectClass: alias
objectClass: extensibleObject
aliasedObjectName: cn=sysadmins,ou=Groups,dc=example,dc=com
When I initiate an ldapsearch and choose not to dereference, I see what I expect:
joe@ldap1:~# ldapsearch -x -ZZ -LLL -a never -b dc=example,dc=com cn=Systems\ Administrators
dn: cn=Systems Administrators,ou=Groups,dc=example,dc=com
ou: Groups
objectClass: alias
objectClass: extensibleObject
aliasedObjectName: cn=sysadmins,ou=Groups,dc=example,dc=com
cn: Systems Administrators
However, when I do choose to dereference, nothing is returned:
joe@ldap1:~# ldapsearch -x -ZZ -LLL -a find -b dc=example,dc=com cn=Systems\ Administrators
joe@ldap1:~#
joe@ldap1:~# ldapsearch -x -ZZ -LLL -a always -b dc=example,dc=com cn=Systems\ Administrators
joe@ldap1:~#
I can only obtain the expected results if I set the search base to the *specific* entry I'm looking to dereference:
joe@ldap1:~# ldapsearch -x -ZZ -LLL -a always -b cn=Systems\ Administrators,ou=Groups,dc=example,dc=com
dn: cn=sysadmins,ou=Groups,dc=example,dc=com
ou: Groups
gidNumber: 4001
cn: sysadmins
objectClass: groupOfURLs
objectClass: top
objectClass: posixGroup
description: The sysadmin team members
memberURL: ldap:///ou=Users,dc=example,dc=com?dn?sub?(&(objectClass=examplecomE
mployee)(departmentName=sysadmins))
member: uid=john,ou=Users,dc=example,dc=com
member: uid=jane,ou=Users,dc=example,dc=com
member: uid=joe,ou=Users,dc=example,dc=com
I find it hard to believe that setting the search base to the alias entry is the only way which one may reference the
alias entry - I can't see many cases in which it would be useful to set the search base to something other than the
highest part of the tree under which all the other entries you'd like to view are accessible. Essentially, I just want
to be able to search for the more aesthetically named entry (cn=Systems Administrators) without having to explicitly set
it as the search base, and have it return the entry specified by its aliasedObjectName. Is this possible, and if so,
how? If not, what is the recommended approach to achieving this goal, other than perhaps setting an attribute from an
AUXILIARY objectClass or similar? I don't really consider creating the entries with the more aesthetic names from the
get-go as an option, because dealing with POSIX groups that have spaces in them is a pain, and not everything plays nice
with such naming schemes. Thanks for any/all advice.