[Mageia-sysadm] Dynlist and change on ldap

Michael scherer misc at zarb.org
Mon Apr 25 14:58:05 CEST 2011


On Mon, Apr 25, 2011 at 12:12:59PM +0200, Michael scherer wrote:
> On Thu, Apr 21, 2011 at 10:09:34PM +0200, Michael Scherer wrote:
> > Le jeudi 21 avril 2011 à 22:04 +0200, Michael Scherer a écrit :
> > 
> > > To use it, just add a group like this : 
> > > 
> > > cn=mga-test_dyn,ou=Group,dc=mageia,dc=org
> > > cn: mga-test_dyn
> > > objectClass: posixGroup
> > > objectClass: groupOfURLs
> > > gidNumber: 5013
> > > memberURL:
> > > ldap:///ou=People,dc=mageia,dc=org?dn?sub?(&(objectClass=posixAccount)(memberOf=cn=mga-council,ou=Group,dc=mageia,dc=org))
> > > memberURL:
> > > ldap:///ou=People,dc=mageia,dc=org?dn?sub?(&(objectClass=posixAccount)(memberOf=cn=mga-sysadmin,ou=Group,dc=mageia,dc=org))
> > > 
> > > This one will create a group with sysadmin and council member.
> > > 
> > > # getent group mga-test_dyn
> > > mga-test_dyn:*:5013:misc,rda,boklm,tmb,ennael,dams,buchan,dmorgan,nanardon,colin,blino,pterjan
> > > 
> > > ( ok here, it doesn't work fully, wobo and trishf42 are missing but
> > > since ennael and rda are not in sysadmin group, this kinda work, I will
> > > look at this more closely, maybe a index issue, or memberOf not being
> > > refreshed )
> > 
> > Ok as usual, I first say something stupid and then find the issue.
> > 
> > Of course, for this example, we should not add
> > "(objectClass=posixAccount)" in the filter, as neither wobo or trishf42
> > have a posixAccount :)
> 
> So I finally made the changes to ldap :
> created a group called mga-shell_access
> changed svn acl for that
> 
> the only issue that I faced was that some members ( ie all i18n and me ) were 
> not able to use the svn, as "id $login" didn't show that they were in the 
> group. I do not know how I solved ( in fact, it started to work once I added 
> i18n to the test_dyn group I created to test everything ).

So it seems that's some caching issue ( or at least, I would inclined to think ).
If we modify mga-shell_access by hand, everything work fine. 
Ie, any modification of the group is not reflected immediately, but on the next modification.

Buchan, maybe you have a idea ?
( already tried to play around indexes without much success ).

According to the various researches I did around the web, dynlist + caching is a 
hard problem, so maybe there is indeed a bug.
-- 
Michael Scherer


More information about the Mageia-sysadm mailing list