Hi,
iam using one 2.5 Master / Provider / syncprov and some 2.5 Slaves /
Consumers / syncrepl. I added the dynlist to generate memberOf attribute
to slapd.conf on Master and all Slaves.
Problem is only on some slaves the dynlist doesnt generate memberof
attribute output when ldapsearch to a user. Iam using the objectClass
labeledURIObject and attribute labeledURI to store the LDAP URI for
dynlist to trigger / generate the DN of group membership for memberof
attribute of the user. The labeledURI attribute is replicated successfully.
User entry output on non working slaves with attribute labeledURI,
memberof is missing:
ldapsearch -x -LLL -ZZ -H ldap://non_working_slave -b
'ou=X,dc=department,dc=organization,dc=X,dc=X' '(&(uid=X))' results in
the user entry with all objectClasses and all attributes except the
memberof attribute.
#start snip:
...
objectClass: labeledURIObject
...
labeledURI:
ldap:///dc=department,dc=organization,dc=X,dc=X??sub?(&(objectClass=groupOfNames)(member=uid=XXXX,ou=account,ou=X,dc=department,dc=organization,dc=X,dc=X))
#stop snip
slapd.conf:
overlay dynlist
dynlist-attrset labeledURIObject labeledURI memberOf
The difference between working and non working slaves is the length of
ACL list.
The important ACL entry is:
access to dn.sub=dc=department,dc=organization,dc=X,dc=X \
attrs=entry
by peername=IP_subnet read
by * break
access to
dn.regex=^[^,]+,ou=(account|group|groupOfNames),ou=X,dc=department,dc=organization,dc=X,dc=X$
by peername=IP_subnet read
by * break
i set no attrs= parameter at "access to dn.regex" rule to output all
attributes.
cheers,
Andreas
