[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Alias dereferencing

To: Ryan Steele <ryans@aweber.com>
Subject: Re: Alias dereferencing
From: Howard Chu <hyc@symas.com>
Date: Fri, 29 Oct 2010 16:58:11 -0700
Cc: openldap-technical@openldap.org
In-reply-to: <4CCB2DA6.2080201@aweber.com>
References: <201010291158.36843.batovanja@humanomed.at> <4CCB2DA6.2080201@aweber.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.0b8pre) Gecko/20101024 Firefox/4.0b8pre SeaMonkey/2.1b2pre

Ryan Steele wrote:

I'm trying to implement some aliases for several groups in my directory to provide a bit of aesthetics for a few
applications that leverage the OpenLDAP users and groups.  However, I seem to be running in to a little trouble, perhaps
because I'm expecting alias dereferencing to do something it wasn't really designed to do.  For reference, this is
2.4.21, but I was able to test on a 2.4.23 database with the same results.  I'm using the autogroup module as well for
some pseudo-static dynamic groups.  Consider the following basic DIT and abbreviated set of entries (abbreviated entries
denoted by '...'):


Your problem has nothing to do with alias dereferencing.

dn: cn=sysadmins,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: groupOfURLs
objectClass: posixGroup
memberURL: ldap:///ou=Users,dc=example,dc=com?dn?sub?(&(objectClass=examplecomEmployee)(departmentName=sysadmins))
member: uid=john,ou=Users,dc=example,dc=com
member: uid=jane,ou=Users,dc=example,dc=com
member: uid=joe,ou=Users,dc=example,dc=com
...

dn: cn=Systems Administrators,ou=Groups,dc=example,dc=com
ou: Groups
cn: Systems Admins
objectClass: alias
objectClass: extensibleObject
aliasedObjectName: cn=sysadmins,ou=Groups,dc=example,dc=com

When I initiate an ldapsearch and choose not to dereference, I see what I expect:

joe@ldap1:~# ldapsearch -x -ZZ -LLL -a never -b dc=example,dc=com cn=Systems\ Administrators
dn: cn=Systems Administrators,ou=Groups,dc=example,dc=com
ou: Groups
objectClass: alias
objectClass: extensibleObject
aliasedObjectName: cn=sysadmins,ou=Groups,dc=example,dc=com
cn: Systems Administrators


However, when I do choose to dereference, nothing is returned:

joe@ldap1:~# ldapsearch -x -ZZ -LLL -a find -b dc=example,dc=com cn=Systems\ Administrators
joe@ldap1:~#

joe@ldap1:~# ldapsearch -x -ZZ -LLL -a always -b dc=example,dc=com cn=Systems\ Administrators
joe@ldap1:~#


Clearly the result you got is correct.

I can only obtain the expected results if I set the search base to the *specific* entry I'm looking to dereference:

joe@ldap1:~# ldapsearch -x -ZZ -LLL -a always -b cn=Systems\ Administrators,ou=Groups,dc=example,dc=com
dn: cn=sysadmins,ou=Groups,dc=example,dc=com
ou: Groups
gidNumber: 4001
cn: sysadmins
objectClass: groupOfURLs
objectClass: top
objectClass: posixGroup
description: The sysadmin team members
memberURL: ldap:///ou=Users,dc=example,dc=com?dn?sub?(&(objectClass=examplecomE
  mployee)(departmentName=sysadmins))
member: uid=john,ou=Users,dc=example,dc=com
member: uid=jane,ou=Users,dc=example,dc=com
member: uid=joe,ou=Users,dc=example,dc=com


I find it hard to believe that setting the search base to the alias entry is the only way which one may reference the
alias entry


And that is clearly not the case, in fact.

Your last search is not equivalent to your previous searches, because the lasttime you omitted the **SEARCH FILTER**.


Think about it.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- LDAP filter question
  - From: Antonio Batovanja <batovanja@humanomed.at>
- Alias dereferencing
  - From: Ryan Steele <ryans@aweber.com>

Prev by Date: Alias dereferencing
Next by Date: tag=97 error in openLDAP
Index(es):
- Chronological
- Thread