[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: dynamic groups



> Hi,
>
> I have built my ldap groups with dynlist overlay.
>
> _If i search for a group i can see the members:
> ldapsearch -Y EXTERNAL -b 'ou=Groups,dc=abc,dc=net' 'cn=ou-is'
> dn: cn=ou-is,ou=Groups,dc=abc,dc=net
> objectClass: groupOfURLs
> objectClass: fhvGroup
> cn: ou-is
> memberURL:
> ldap:///ou=People,dc=abc,dc=net??sub?(fhvIsAISMemberOf=cn=ou-is,ou=Groups,dc=abc,dc=net)
> member: uid=cb,ou=fhv,ou=People,dc=abc,dc=net
>
> _But if i search for members i only get empty results:
> ldapsearch -Y EXTERNAL -b 'ou=Groups,dc=abc,dc=net'
> '(member=uid=cb,ou=fhv,ou=People,dc=abc,dc=net)' cn member
>
> Is this not working with dynamic groups?

Yes, the module is working as intended.  From slapo-dynlist(5):

    Any time an entry with a specific objectClass is being returned,
    the LDAP URI-valued occurrences of a specific attribute are
    expanded into the corresponding entries, and the values of the
    attributes listed in the URI are added to the original entry.

So the overlay operates on entries *returned* by a search, and thus it has
nothing to do with the search filter.  At the time of filtering, the
dynamic values are not present in the entry, and thus cannot match.

> And does it make sense to build indexes for dynamic member attributes?

No, it's pure nonsense.

p.