Re: dynlist dont deliver memberof attribute

Mon, 27 Feb 2023 08:03:19 -0800 

Hi,

meanwhile i fixed the issue and forget to answer.
The slaves which doesnt deliver the dynlist attribute memberof are partial replicated instead of full replicated slaves. So the labeledURI LDAP attribute value ldap:///dc=department,dc=organization,dc=X,dc=X? has to be corrected to the basedn of the partial ldap slave, so ou=xyz,dc=department,dc=organization,.... is correct and working. 

cheers,

Andi

Am 02.02.23 um 15:35 schrieb Andreas Ladanyi:

Hi,
iam using one 2.5 Master / Provider / syncprov and some 2.5 Slaves / Consumers / syncrepl. I added the dynlist to generate memberOf attribute to slapd.conf on Master and all Slaves.
Problem is only on some slaves the dynlist doesnt generate memberof attribute output when ldapsearch to a user. Iam using the objectClass labeledURIObject and attribute labeledURI to store the LDAP URI for dynlist to trigger / generate the DN of group membership for memberof attribute of the user. The labeledURI attribute is replicated successfully.
User entry output on non working slaves with attribute labeledURI, memberof is missing:
ldapsearch -x -LLL -ZZ -H ldap://non_working_slave -b 'ou=X,dc=department,dc=organization,dc=X,dc=X' '(&(uid=X))' results in the user entry with all objectClasses and all attributes except the memberof attribute. 

#start snip:

...

objectClass: labeledURIObject

...
labeledURI: ldap:///dc=department,dc=organization,dc=X,dc=X??sub?(&(objectClass=groupOfNames)(member=uid=XXXX,ou=account,ou=X,dc=department,dc=organization,dc=X,dc=X)) 

#stop snip


slapd.conf:

overlay dynlist
dynlist-attrset labeledURIObject labeledURI memberOf
The difference between working  and non working slaves is the length of ACL list. 

The important ACL entry is:

access to dn.sub=dc=department,dc=organization,dc=X,dc=X \
          attrs=entry

                by peername=IP_subnet read

                by * break
access to dn.regex=^[^,]+,ou=(account|group|groupOfNames),ou=X,dc=department,dc=organization,dc=X,dc=X$ 
                by peername=IP_subnet read
                by * break
i set no attrs= parameter  at "access to dn.regex" rule to output all attributes. 



cheers,

Andreas

Reply via email to