Norman Gray wrote: > > Greetings. > > I have another puzzle with my OpenLDAP configuration, where I'm not > sure if what I'm seeing is unexpected. > > Short version: should I expect a group in an olcLimits spec to work when the > group is dynamic?
Yes. > I have a dynamic group set up, using the dynlist overlay, which > expands to a set of DNs which should be allowed slightly privileged > access to a directory. That group seems to be working OK: > > % ldapsearch -x -H ldap://localhost:8389 -b o=example -LLL > '(cn=ldap-operators)' > dn: cn=ldap-operators,ou=groups,o=example > cn: ldap-operators > objectClass: groupOfURLs > description: Members of all of the LDAP admin and tech groups > memberURL: > ldap:///ou=groups,o=example?member?sub?(|(cn=ldap-admins-*)(cn=ldap-techs)) > member: uid=norman,ou=staff,o=example > [...] > > One goal here is to remove query limits for this group. I can test > that by adding an artificially low limit: > > olcLimits: > group/groupOfURLs/member="cn=ldap-operators,ou=groups,o=example" size=2 > > If I then make a query which has a few results, I do not get this limit > imposed, and instead see in the logs > > 65c3ce83.0f52bea8 0x16e9d3000 => mdb_entry_get: found entry: > "cn=ldap-operators,ou=groups,o=example" > 65c3ce83.0f533f90 0x16e9d3000 <= mdb_entry_get: failed to find attribute > member And those logs are correct, the group entry you specified has no member attribute. What it has is a memberURL attribute, and that's what you should have configured in your olcLimits statement. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
