[Mageia-sysadm] Dynlist and change on ldap

Michael scherer misc at zarb.org
Mon Apr 25 19:44:26 CEST 2011


On Mon, Apr 25, 2011 at 02:58:05PM +0200, Michael scherer wrote:
> On Mon, Apr 25, 2011 at 12:12:59PM +0200, Michael scherer wrote:
> > On Thu, Apr 21, 2011 at 10:09:34PM +0200, Michael Scherer wrote:
> > > Le jeudi 21 avril 2011 à 22:04 +0200, Michael Scherer a écrit :
> > > 
> > > > To use it, just add a group like this : 
> > > > 
> > > > cn=mga-test_dyn,ou=Group,dc=mageia,dc=org
> > > > cn: mga-test_dyn
> > > > objectClass: posixGroup
> > > > objectClass: groupOfURLs
> > > > gidNumber: 5013
> > > > memberURL:
> > > > ldap:///ou=People,dc=mageia,dc=org?dn?sub?(&(objectClass=posixAccount)(memberOf=cn=mga-council,ou=Group,dc=mageia,dc=org))
> > > > memberURL:
> > > > ldap:///ou=People,dc=mageia,dc=org?dn?sub?(&(objectClass=posixAccount)(memberOf=cn=mga-sysadmin,ou=Group,dc=mageia,dc=org))
> > > > 
> > > > This one will create a group with sysadmin and council member.
> > > > 
> > > > # getent group mga-test_dyn
> > > > mga-test_dyn:*:5013:misc,rda,boklm,tmb,ennael,dams,buchan,dmorgan,nanardon,colin,blino,pterjan
> > > > 
> > > > ( ok here, it doesn't work fully, wobo and trishf42 are missing but
> > > > since ennael and rda are not in sysadmin group, this kinda work, I will
> > > > look at this more closely, maybe a index issue, or memberOf not being
> > > > refreshed )
> > > 
> > > Ok as usual, I first say something stupid and then find the issue.
> > > 
> > > Of course, for this example, we should not add
> > > "(objectClass=posixAccount)" in the filter, as neither wobo or trishf42
> > > have a posixAccount :)
> > 
> > So I finally made the changes to ldap :
> > created a group called mga-shell_access
> > changed svn acl for that
> > 
> > the only issue that I faced was that some members ( ie all i18n and me ) were 
> > not able to use the svn, as "id $login" didn't show that they were in the 
> > group. I do not know how I solved ( in fact, it started to work once I added 
> > i18n to the test_dyn group I created to test everything ).
> 
> So it seems that's some caching issue ( or at least, I would inclined to think ).
> If we modify mga-shell_access by hand, everything work fine. 
> Ie, any modification of the group is not reflected immediately, but on the next modification.
> 
> Buchan, maybe you have a idea ?
> ( already tried to play around indexes without much success ).
> 
> According to the various researches I did around the web, dynlist + caching is a 
> hard problem, so maybe there is indeed a bug.

Turn out that the issue was more complex.
Since I was using ldapvi without -M option, the ldap search used returned all member:
attributes after being expanded by dynlist. So, upon closing the editor, it would 
send the members attributes as change to apply to the group, and the ldap would record them 
as a modification. This is why we were seeing some strange issue that I labeled as 
'cache issue'. 

The command id is using a query with a search filter '(member=uid=login,dc=...)' and should not
have worked at all with dynlist, since dynamic group are expanded only when the whole
object is returned. Yet, because of the aformentioned side effect of ldapvi, it worked
but it was somehow "late" on change.

After digging everywhere, the proper solution was much simpler :
- nss_ldap support nested groups.

So I created a group mga-shell_access_2, placed the group of sysadmin, packagers, etc
in the members attribute and it worked fine. I did some basic tests to see there
was no regression and then I switched the group ( in 2 operations ).
And now it work fine. 

But this didn't seems to be widely documented ( or maybe I overlooked )
-- 
Michael Scherer


More information about the Mageia-sysadm mailing list