On 10/21/2021 6:06 PM, Howard Chu wrote:
Then this is probably dynlist searching for objectclass=cppEduPerson.
You should change this configuration to use 2.5 dynlist's memberOf support.
I must have missed that, I wasn't aware of any new specific memberOf
support in dynlist? I don't see anything mentioning that in the
administration guide:
https://www.openldap.org/doc/admin25/guide.html#Dynamic%20Lists
I did find a reference to it in a release announcement:
https://www.openldap.org/software/release/announce.html
"dynlist can now generate (is)memberOf dynamically"
but it had no specifics as to how that was configured or what it did?
Ah, I see there is a mention of it in the man page, but sadly I don't
quite understand it.
dynlist-attrset <group-oc> [<URI>] <URL-ad>
[[<mapped-ad>:]<member-ad>[+<memberOf-ad[@<static-oc>[*]] ...]
The value group-oc is the name of the objectClass that
triggers the dynamic expansion of the data.
The optional URI restricts expansion only to entries
matching the DN, the scope and the filter portions of the URI.
The value URL-ad is the name of the attributeDescription
that contains the URI that is expanded by the overlay; if none is
present, no expansion occurs. If the intersection of the attributes
requested by the search operation (or the asserted attribute for
compares) and the attributes listed in the URI is empty, no expansion
occurs for that specific URI. It must be a subtype of labeledURI.
The value member-ad is optional; if present, the
overlay behaves as a dynamic group: this attribute will list the DN of
the entries resulting from the internal search. In this case, the
attrs portion of the URIs in the URL-ad attribute must be absent, and
the DNs of all the entries resulting from the expansion of the URIs
are listed as values of this attribute. Compares that assert the value
of the member-ad attribute of entries with group-oc objectClass apply as
if the DN of the entries resulting from the expansion of the URI
were present in the group-oc entry as values of the member-ad attribute.
If the optional memberOf-ad attribute is also specified, then it
will be populated with the DNs of the dynamic groups that an entry is a
member of. If the optional static-oc objectClass is also specified,
then the memberOf attribute will also be populated with the DNs of
the static groups that an entry is a member of.
It appears it still needs an object class to trigger it? And in my case,
that object class would still be cppEduPerson? (IE, only trigger this
dynamic expansion on objects that have that object class?) Right now my
configuration again is:
dynlist-attrset cppEduPerson memberURL memberOf
My understanding of which says that for any search which returns an
object of the object class "cppEduPerson", perform the search as
indicated in the attribute "memberURL", which for me is:
memberURL: ldap:///dc=cpp,dc=edu??sub?(memberUid=henson)
and shove all the DN's that result from that search in the memberOf
attribute. What exactly am I supposed to do differently to avail of this
new support? And how would it remove the need for the reference to the
cppEduPerson object class?
Indexing is not broken.
There was a question mark in my subject line, I was just guessing :). It
is still though definitely a difference in behavior between 2.4 and 2.5,
and I'm not understanding why? I don't see any mention of dynlist or
memberOf in the upgrade guide:
https://www.openldap.org/doc/admin25/guide.html#Upgrading%20from%202.4.x
Is my current configuration under 2.4 "broken but happens to work"?
Thanks…
