Closed baszoetekouw closed 5 months ago
mrvanes
commented
1 year ago Mental note: https://www.mail-archive.com/openldap-technical@openldap.org/msg27096.html https://www.mail-archive.com/openldap-technical@openldap.org/msg27121.html Works with slapd 2.5.x in Debian bookworm.
baszoetekouw
commented
1 year ago I'm now really seeing problems with the overlay, in test, acc and prod.
For example:
uid=roger,ou=People,dc=flat,dc=https://wiki/,dc=services,dc=sram-tst,dc=surf,dc=nluid=eone,ou=People,dc=flat,dc=urn:mace:surf.nl:sram:service:sram_mon_ldap,dc=services,dc=sram,dc=surf,dc=nl (ldap monitor user)baszoetekouw
commented
3 months ago Dit werkt niet op de reguliere tst/acc/prd; die hebben wel de dynlist overlay geladen, maar niet met de goede config. Misschien is dat ook wel ok voor nu, en fixen we dat gewoon als we naar de docker-omgevingen overgaan.
Die dockers moet ik nog testen.
mrvanes
commented
3 months ago Dat kopt, dit werk wel, maar alleen in de containers
baszoetekouw
commented
1 month ago ok
According to https://manpages.debian.org/unstable/slapd/slapo-memberof.5.en.html the memberof overlay is deprecated and is incompatible with syncrepl. We have actually seen this in prod (at least, we are seeing inconsistencies in synced group memberships). See also https://bugs.openldap.org/show_bug.cgi?id=7400;selectid=7400
So, we should probably use the dynlist overlay instead. Seems doable, though as expected, the syntax is crappy and the documentation rather unhelpful, https://www.mail-archive.com/openldap-technical@openldap.org/msg26067.html and https://bugs.openldap.org/show_bug.cgi?id=8613 seem to point into the right direction.