Re: olcLimits and groupOfURLs dynlist

Wed, 07 Feb 2024 16:35:01 -0800 

Norman Gray wrote:
> 
> Howard, hello.
> 
> On 7 Feb 2024, at 19:36, Howard Chu wrote:
> 
>>> If I then make a query which has a few results, I do not get this limit
>>> imposed, and instead see in the logs
>>>
>>>     65c3ce83.0f52bea8 0x16e9d3000 => mdb_entry_get: found entry:
> "cn=ldap-operators,ou=groups,o=example"
>>>     65c3ce83.0f533f90 0x16e9d3000 <= mdb_entry_get: failed to find 
>>> attribute member
>>
>> And those logs are correct, the group entry you specified has no member 
>> attribute.
>> What it has is a memberURL attribute, and that's what you should have 
>> configured
>> in your olcLimits statement.
> 
> Aha.  I had taken the description to refer to the synthesised 'member' 
> attributes in the
> dynamically generated group.  Thanks for this.
> 
> On changing this, though, to
> 
>     olcLimits: 
> group/groupOfURLs/memberURL="cn=ldap-operators,ou=groups,o=example" size=2
> 
> and making a query, I now see in the logs (with -d-1):
> 
>     65c3df21.21fa70c8 0x16cacf000 ==> limits_get: conn=1000 op=1 
> self="uid=norman,ou=staff,o=example" this="o=example"
>     65c3df21.21fa97d8 0x16cacf000 => mdb_entry_get: ndn: 
> "cn=ldap-operators,ou=groups,o=example"
>     65c3df21.21fab718 0x16cacf000 => mdb_entry_get: oc: "groupOfURLs", at: 
> "memberURL"
>     65c3df21.21fb1ca8 0x16cacf000 
> mdb_dn2entry("cn=ldap-operators,ou=groups,o=example")
>     65c3df21.21fb4b88 0x16cacf000 => 
> mdb_dn2id("cn=ldap-operators,ou=groups,o=example")
>     65c3df21.21fb8a08 0x16cacf000 <= mdb_dn2id: got id=0x2857
>     65c3df21.21fbb8e8 0x16cacf000 => mdb_entry_decode:
>     65c3df21.21fbd440 0x16cacf000 <= mdb_entry_decode
>     65c3df21.21fbef98 0x16cacf000 => mdb_entry_get: found entry: 
> "cn=ldap-operators,ou=groups,o=example"
>     65c3df21.21fc0ed8 0x16cacf000 mdb_entry_get: rc=0
>     65c3df21.21fc2a30 0x16cacf000 
> ldap_url_parse_ext(ldap:///ou=groups,o=example?member?sub?(|(cn=ldap-admins-*)(cn=ldap-techs)))

The above URL is not valid for a dynamic group. The attrs portion of the URL 
must be empty.

Since it's invalid, after it is parsed it gets ignored.

> There's no mention of 'limits' after this point in the log.


-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Reply via email to