[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: dynamic groups

To: Christian Bösch <boesch@fhv.at>
Subject: Re: dynamic groups
From: masarati@aero.polimi.it
Date: Wed, 24 Nov 2010 16:56:52 +0100 (CET)
Cc: openldap-technical@openldap.org
Importance: Normal
In-reply-to: <E0833E24-8C82-4590-8FDB-534875BFF056@fhv.at>
References: <E0833E24-8C82-4590-8FDB-534875BFF056@fhv.at>
User-agent: SquirrelMail/1.4.15

> Hi,
>
> I have built my ldap groups with dynlist overlay.
>
> _If i search for a group i can see the members:
> ldapsearch -Y EXTERNAL -b 'ou=Groups,dc=abc,dc=net' 'cn=ou-is'
> dn: cn=ou-is,ou=Groups,dc=abc,dc=net
> objectClass: groupOfURLs
> objectClass: fhvGroup
> cn: ou-is
> memberURL:
> ldap:///ou=People,dc=abc,dc=net??sub?(fhvIsAISMemberOf=cn=ou-is,ou=Groups,dc=abc,dc=net)
> member: uid=cb,ou=fhv,ou=People,dc=abc,dc=net
>
> _But if i search for members i only get empty results:
> ldapsearch -Y EXTERNAL -b 'ou=Groups,dc=abc,dc=net'
> '(member=uid=cb,ou=fhv,ou=People,dc=abc,dc=net)' cn member
>
> Is this not working with dynamic groups?

Yes, the module is working as intended.  From slapo-dynlist(5):

    Any time an entry with a specific objectClass is being returned,
    the LDAP URI-valued occurrences of a specific attribute are
    expanded into the corresponding entries, and the values of the
    attributes listed in the URI are added to the original entry.

So the overlay operates on entries *returned* by a search, and thus it has
nothing to do with the search filter.  At the time of filtering, the
dynamic values are not present in the entry, and thus cannot match.

> And does it make sense to build indexes for dynamic member attributes?

No, it's pure nonsense.

p.

Follow-Ups:
- Re: dynamic groups
  - From: Christian Bösch <boesch@fhv.at>

References:
- dynamic groups
  - From: Christian Bösch <boesch@fhv.at>

Prev by Date: RE: About locked LDAP user
Next by Date: How to set Multiple base dn
Index(es):
- Chronological
- Thread