[Issue 9805] New: member attributes managed by autogroup are lost when user attributes are adjusted

Wed, 09 Mar 2022 00:05:30 -0800 

https://bugs.openldap.org/show_bug.cgi?id=9805

          Issue ID: 9805
           Summary: member attributes managed by autogroup are lost when
                    user attributes are adjusted
           Product: OpenLDAP
           Version: 2.4.59
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Keywords: needs_review
          Severity: normal
          Priority: ---
         Component: contrib
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

Hello OpenLDAP Team, 

we use nested groups in our OpenLDAP directory.
User X is a member of group A.
Group A is a member of group B.
User X is therefore also a member of group B.

To be able to find out all groups of user X with only one LDAP query 
we use the dynlist overlay together with the autogroup overlay.

Group B is a dynamic group whose member attributes are set with autogroup,
to allow a search for members.

 ldapsearch .. -s sub  -b "ou=groups,dc=basler,dc=ch"
"(member=cn=userx,ou=users,dc=basler,dc=ch)" dn

Result:

cn=groupA,ou=groups,dc=basler,dc=ch
cn=groupB,ou=groups,dc=basler,dc=ch

----- Gruppe A ----------------------------------------------------------
dn: cn=groupA,ou=groups,dc=basler,dc=ch
cn: groupA
objectClass: top
objectClass: groupOfNames

member:cn=userX,ou=users,dc=basler,dc=ch

----- Gruppe B ----------------------------------------------------------
dn: cn=groupB,ou=groups,dc=basler,dc=ch
cn: groupB
objectClass: top
objectClass: groupOfURLs

memberURL: ldap:///ou=groups,dc=basler,dc=ch?member?one?(cn=groupA)
# managed by autogroup 
member:cn=userX,ou=users,dc=basler,dc=ch 
-----------------------------------------------------------------------
This works until any attribute in the userX object is changed.
The member attribute for userX created dynamically by autogroup is then deleted
from groupB although userX is still a member of groupA and is therefore matched
with the search in the memberURL attribute of groupB matched.

The expected behaviour would be that the member attribute in groupB remains
unchanged.

----------- configuration --------------------------
OpenLDAP 2.4.59 from https://www.ltb-project.org/download.html


--------------- slapd.conf -------------------------
...
moduleload dynlist
moduleload autogroup.so
...
include /usr/local/openldap/etc/openldap/local-schema/dyngroup.schema
...
overlay dynlist
dynlist-attrset groupOfURLs memberURL

overlay autogroup
autogroup-attrset groupOfURLs memberURL member

-- 
You are receiving this mail because:
You are on the CC list for the issue.

Reply via email to