[Mageia-sysadm] Dynlist and change on ldap

Mon Apr 25 19:44:26 CEST 2011

On Mon, Apr 25, 2011 at 02:58:05PM +0200, Michael scherer wrote:
+> On Mon, Apr 25, 2011 at 12:12:59PM +0200, Michael scherer wrote:
+> > On Thu, Apr 21, 2011 at 10:09:34PM +0200, Michael Scherer wrote:
+> > > Le jeudi 21 avril 2011 à 22:04 +0200, Michael Scherer a écrit :
+> > > 
+> > > > To use it, just add a group like this : 
+> > > > 
+> > > > cn=mga-test_dyn,ou=Group,dc=mageia,dc=org
+> > > > cn: mga-test_dyn
+> > > > objectClass: posixGroup
+> > > > objectClass: groupOfURLs
+> > > > gidNumber: 5013
+> > > > memberURL:
+> > > > ldap:///ou=People,dc=mageia,dc=org?dn?sub?(&(objectClass=posixAccount)(memberOf=cn=mga-council,ou=Group,dc=mageia,dc=org))
+> > > > memberURL:
+> > > > ldap:///ou=People,dc=mageia,dc=org?dn?sub?(&(objectClass=posixAccount)(memberOf=cn=mga-sysadmin,ou=Group,dc=mageia,dc=org))
+> > > > 
+> > > > This one will create a group with sysadmin and council member.
+> > > > 
+> > > > # getent group mga-test_dyn
+> > > > mga-test_dyn:*:5013:misc,rda,boklm,tmb,ennael,dams,buchan,dmorgan,nanardon,colin,blino,pterjan
+> > > > 
+> > > > ( ok here, it doesn't work fully, wobo and trishf42 are missing but
+> > > > since ennael and rda are not in sysadmin group, this kinda work, I will
+> > > > look at this more closely, maybe a index issue, or memberOf not being
+> > > > refreshed )
+> > > 
+> > > Ok as usual, I first say something stupid and then find the issue.
+> > > 
+> > > Of course, for this example, we should not add
+> > > "(objectClass=posixAccount)" in the filter, as neither wobo or trishf42
+> > > have a posixAccount :)
+> > 
+> > So I finally made the changes to ldap :
+> > created a group called mga-shell_access
+> > changed svn acl for that
+> > 
+> > the only issue that I faced was that some members ( ie all i18n and me ) were 
+> > not able to use the svn, as "id $login" didn't show that they were in the 
+> > group. I do not know how I solved ( in fact, it started to work once I added 
+> > i18n to the test_dyn group I created to test everything ).
+> 
+> So it seems that's some caching issue ( or at least, I would inclined to think ).
+> If we modify mga-shell_access by hand, everything work fine. 
+> Ie, any modification of the group is not reflected immediately, but on the next modification.
+> 
+> Buchan, maybe you have a idea ?
+> ( already tried to play around indexes without much success ).
+> 
+> According to the various researches I did around the web, dynlist + caching is a 
+> hard problem, so maybe there is indeed a bug.
+
+Turn out that the issue was more complex.
+Since I was using ldapvi without -M option, the ldap search used returned all member:
+attributes after being expanded by dynlist. So, upon closing the editor, it would 
+send the members attributes as change to apply to the group, and the ldap would record them 
+as a modification. This is why we were seeing some strange issue that I labeled as 
+'cache issue'. 
+
+The command id is using a query with a search filter '(member=uid=login,dc=...)' and should not
+have worked at all with dynlist, since dynamic group are expanded only when the whole
+object is returned. Yet, because of the aformentioned side effect of ldapvi, it worked
+but it was somehow "late" on change.
+
+After digging everywhere, the proper solution was much simpler :
+- nss_ldap support nested groups.
+
+So I created a group mga-shell_access_2, placed the group of sysadmin, packagers, etc
+in the members attribute and it worked fine. I did some basic tests to see there
+was no regression and then I switched the group ( in 2 operations ).
+And now it work fine. 
+
+But this didn't seems to be widely documented ( or maybe I overlooked )
+-- 
+Michael Scherer
+