On Wednesday, February 17, 2016 10:17:40 AM William Brown wrote: > On Tue, 2016-02-16 at 12:54 +0100, Frank Munsche wrote: > > Hi guys, > > > > how can I determine the members of a dynamic group? After some research, > > it is still not obvious to me. There is an example at page 220 of the > > redhat directory server adm guide at: > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/ > > pdf/A > > dministration_Guide/Red_Hat_Directory_Server-10-Administration_Guide-en-U > > S.pdf > > > > > > Within the 389 console you can list the members of the dynamic group using > > the 'test' button. Unfortunately, I'm using a stripped down installation > > of 389 without the admin server. But it should be possible to list the > > members of a dynamic group using ldapsearch, or? > > > > I've tried to query the dyn group object itself, but the members are > > missing: > > > > ldapsearch -H ldap://ldap.example.org -D "cn=directory manager" -W -Z -x > > -b 'cn=admin,ou=sampleapp,ou=appgroups,dc=example,dc=org' > > 'objectclass=*' > > > > dn: cn=admin,ou=sampleapp,ou=appgroups,dc=example,dc=org > > objectClass: top > > objectClass: groupOfUniqueNames > > objectClass: groupOfURLs > > cn: admin > > description: sampleapp admin users dyn group > > memberURL: ldap:///ou=people,dc=example,dc=org??sub?(&(objectclass=pers > > on)(mail=*example.org)) > > You can test this by running an ldap search as: > > ldapsearch -b ou=people,dc=example,dc=org -s sub > '(&(objectclass=person)(mail=*example.org))' > > > OpenLDAP has an "overlay" which allows the memberUrl to be expanded during a > search request into "member" attrs on the groupOfUrls. > > Right now, we don't have this in 389-ds. > > If you have an account on fedorahosted, we would really appreciate you > lodging a ticket about this. > > Otherwise, you need to do the expansion by hand. > > Sorry about that, Hi William, thank you for the explanation. Does this mean, whenever an application accesses the dynamic group, the memberURL attribute(s) will be sent back to the app? After this, it's on the application to create a new ldap operation using the parts of the memberURL ? But if so, the host part of the url would not be correct, or? ldap:/// refers to the local directory server itself. Means, to get it working, there must be the name of the directory server included as like ldap://ldap1.example.org/ ? thank you very much , cheers, Frank I'm still wondering if dynamic groups of 389-ds work at all right now. -- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx