Re: (ITS#8613) slapo-memberOf documentation update (Unsafe to use with replication)

Thu, 09 Mar 2017 12:55:18 -0800 

--On Thursday, March 09, 2017 12:54 AM +0000 [email protected] wrote:

> It is possible to set up slapo-dynlist to operate as a replacement for
> slapo-memberOf, and it is safe in a replicated environment.  The tricky
> part of using slapo-dynlist is that membership information must be
> maintained by updating user objects rather than by updating group
> objects, which may be difficult for end users depending on how they
> perform group management.

It's also possible to do this in the reverse direction.  I.e., normal 
static groups that will populate memberOf in the user entry.  To do this, 
you have to hack the dyngroup schema, changing groupOfURLs from STRUCTURAL 
to AUXILIARY.

In the slapd config, the dynlist config looks like:

dynlist-attrset groupOfUrls memberURL memberOf


Then we can create some groups:

root@u16test:/opt/symas/etc/openldap# /opt/symas/bin/ldapsearch -x -LLL -H 
ldap:/// -D dc=example,dc=com -w secret -b dc=example,dc=com "cn=testgroup"
dn: cn=testgroup,ou=Group,dc=example,dc=com
objectClass: groupOfNames
cn: testgroup
member: cn=Marice McCaugherty,ou=Product Testing,dc=example,dc=com

root@u16test:/opt/symas/etc/openldap# /opt/symas/bin/ldapsearch -x -LLL -H 
ldap:/// -D dc=example,dc=com -w secret -b dc=example,dc=com 
"cn=alttestgroup"
dn: cn=alttestgroup,ou=Group,dc=example,dc=com
objectClass: groupOfNames
cn: alttestgroup
member: cn=Marice McCaugherty,ou=Product Testing,dc=example,dc=com

The user entry looks like:

root@u16test:/opt/symas/etc/openldap# /opt/symas/bin/ldapsearch -x -LLL -H 
ldap:/// -D dc=example,dc=com -w secret -b dc=example,dc=com "cn=Marice 
McCaugherty" objectClass memberOf memberURL
dn: cn=Marice McCaugherty,ou=Product Testing,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: groupOfURLs
memberURL: ldap:///dc=example,dc=com??sub?(member=cn=Marice 
McCaugherty,ou=Pro
 duct Testing,dc=example,dc=com)
memberOf: cn=testgroup,ou=Group,dc=example,dc=com
memberOf: cn=alttestgroup,ou=Group,dc=example,dc=com

Doing it this way means that people currently using memberOf wouldn't need 
to change how group management is done.


--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Reply via email to