Greetings.
I have another puzzle with my OpenLDAP configuration, where I'm not
sure if what I'm seeing is unexpected.
Short version: should I expect a group in an olcLimits spec to work when the
group is dynamic?
I have a dynamic group set up, using the dynlist overlay, which
expands to a set of DNs which should be allowed slightly privileged
access to a directory. That group seems to be working OK:
% ldapsearch -x -H ldap://localhost:8389 -b o=example -LLL
'(cn=ldap-operators)'
dn: cn=ldap-operators,ou=groups,o=example
cn: ldap-operators
objectClass: groupOfURLs
description: Members of all of the LDAP admin and tech groups
memberURL:
ldap:///ou=groups,o=example?member?sub?(|(cn=ldap-admins-*)(cn=ldap-techs))
member: uid=norman,ou=staff,o=example
[...]
One goal here is to remove query limits for this group. I can test
that by adding an artificially low limit:
olcLimits: group/groupOfURLs/member="cn=ldap-operators,ou=groups,o=example"
size=2
If I then make a query which has a few results, I do not get this limit
imposed, and instead see in the logs
65c3ce83.0f52bea8 0x16e9d3000 => mdb_entry_get: found entry:
"cn=ldap-operators,ou=groups,o=example"
65c3ce83.0f533f90 0x16e9d3000 <= mdb_entry_get: failed to find attribute
member
(If, instead of this, I define an ldap-operators group of class
groupOfNames, with the above 'member' included explicitly, and make the
corresponding change to the olcLimits line, I get what I expect -- ie,
a restricted-size response to the query -- which reassures me I'm not
doing something stupid elsewhere.)
The slapo-dynlist(5) page says:
> Any time an entry with a specific objectClass is being returned, the
> LDAP URI-valued occurrences of a specific attribute are expanded into
> the corresponding entries, and the values of the attributes listed in
> the URI are added to the original entry.
I note the ‘any time’.
My configuration appears to be working for the ldapsearch lookup; I
don't see any text in that manpage that suggests this won't work for
the (somehow internal?) lookup being done when processing the
olcLimits expression.
The page slapd-config(5) says, under olcLimits:
> The term group, with the optional objectClass oc and attributeType at
> fields, followed by pattern, sets the limits for any DN listed in the
> values of the at attribute (default member) of the oc group
> objectClass (default groupOfNames) whose DN exactly matches pattern.
That text doesn't seem to me to exclude this entry lookup from the
‘any time’ in the slapo-dynlist text above.
This is OpenLDAP 2.6.7.
I am of course open to a frame-challenge about the best way of
achieving the underlying goal.
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk
