[email protected] wrote: > As I understand it, Gerry's use case is: we have some groups, we want > an autogroup containing the union of their members, and we want > memberOf to accurately reflect both the manual and automatic group > memberships. I think that's a reasonable thing to want; especially > since the memberOf part is impossible with dynlist. > > Config for these tests: dyngroup schema with groupOfURLs modified to > allow 'member' as per autogroup README, plus: > > dn: olcOverlay={1}memberof,olcDatabase={1}mdb,cn=config > objectClass: olcMemberOf > olcMemberOfGroupOC: groupOfURLs > > dn: olcOverlay={2}autogroup,olcDatabase={1}mdb,cn=config > objectClass: olcAutomaticGroups > olcAGattrSet: groupOfURLs memberURL member > > On Wed, Jun 4, 2014 at 12:24 PM, Ryan Tandy <[email protected]> wrote: >> Adding a new entry that triggers an autogroup member to be added: I >> don't get a crash or deadlock, but the new entry doesn't have a >> memberOf attribute. It looks like the internal Modify adding the >> member happens before the Add completes, so memberof tries to add >> memberOf to an entry that doesn't exist yet. > > slapadd: > > dn: cn=autogroup,dc=example,dc=com > objectClass: groupOfURLs > memberURL: ldap:///dc=example,dc=com??one?(objectClass=account) > > and then ldapadd: > > dn: uid=user,dc=example,dc=com > objectClass: account > uid: user > > The new entry doesn't gain a memberOf attr as expected.
Fixed in git master. >> Changing autogroup to trigger on an alteration to an existing entry, >> for example addition of a specific attribute or auxiliary objectClass: >> with mdb this works and the memberOf attribute is added; with hdb I >> get the same deadlock Landry Breuil already reported. Looks like a >> recursive deadlock on the same thread. > > slapadd: > > dn: cn=autogroup,dc=example,dc=com > objectClass: groupOfURLs > memberURL: ldap:///dc=example,dc=com??one?(objectClass=extensibleObject) > > dn: uid=user,dc=example,dc=com > objectClass: account > > and then ldapmodify: > > dn: uid=user,dc=example,dc=com > add: objectClass > objectClass: extensibleObject > > under mdb, works as expected. > under hdb, deadlock. Fixed in git master. >> I think those problems are both different from the one this ITS is >> about, though. Maybe they should be filed separately. >> >> I also confirmed the problem originally reported on current git master > > I came up with two ways to do this. I don't know which one Gerry used. > > You can use the same config as above and have autogroup expand attr > values. The initial LDIF is: > > dn: cn=autogroup,dc=example,dc=com > objectClass: groupOfURLs > memberURL: > ldap:///cn=staticgroup,dc=example,dc=com?member?base?(objectClass=*) > > dn: cn=staticgroup,dc=example,dc=com > objectClass: groupOfNames > member: cn=dummy > > dn: uid=user,dc=example,dc=com > objectClass: account > > (You can't re-use groupOfURLs for the static group because autogroup > blocks manual changes to its members.) > > Then ldapmodify: > > dn: cn=staticgroup,dc=example,dc=com > add: member > member: uid=user,dc=example,dc=com > > dn: cn=staticgroup,dc=example,dc=com > delete: member > member: uid=user,dc=example,dc=com Fixed in git master. > > Alternatively you can make autogroup search by memberOf. For that you need > > olcMemberOfGroupOC: groupOfNames > > (instead of GroupOfURLs). Then you do the same slapadd and ldapmodify, > except with > > memberURL: > ldap:///dc=example,dc=com??one?(memberOf=cn=staticgroup,dc=example,dc=com) Fixed in git master. > > AFAICT both approaches work (personally I prefer the first...), but > memberOf is only applied to a single OC. If you want it for both, you > might try the same thing with a second memberof instance, like this: > > dn: olcOverlay={1}memberof,olcDatabase={1}mdb,cn=config > objectClass: olcMemberOf > olcMemberOfGroupOC: groupOfURLs > > dn: olcOverlay={2}memberof,olcDatabase={1}mdb,cn=config > objectClass: olcMemberOf > olcMemberOfGroupOC: groupOfNames > > dn: olcOverlay={3}autogroup,olcDatabase={1}mdb,cn=config > objectClass: olcAutomaticGroups > olcAGattrSet: groupOfURLs memberURL member Not tested. > Then you get the problem Gerry reported: memberOf is added twice but > only deleted once, the second value remains. Same result for both > memberURL configurations. > > Minor nitpicks: if you give autogroup's olcAGattrSet exactly two > arguments, slapadd crashes in ag_cfgen (autogroup.c:1761); Fixed in git master. > and if you > omit the filter from memberURL, i.e. > > memberURL: ldap:///cn=staticgroup,dc=example,dc=com?member?base? > > then slapd crashes in autogroup_modify_entry (autogroup.c:1381) while > refreshing memberships. Ideally those would return an error instead of > segfaulting. Fixed in git master - the offending autogroup URLs are ignored. > > I'm also wondering, should autogroup/README perhaps recommend > groupOfNames and labeledURI instead of groupOfURLs and member? > > hope this helps, > Ryan > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
