4 files changed, 55 insertions, 8 deletions
diff --git a/lib/modules/openldap b/lib/modules/openldap
index c09e791..f24a802 100644
--- a/lib/modules/openldap
+++ b/lib/modules/openldap
@@ -38,6 +38,7 @@ indexedAttributes = frozenset([
     'olcOverlay',
     'olcLimits',
     'olcAuthzRegexp',
+    'olcDlAttrSet',
     'olcDbConfig',
 ])
 
@@ -156,6 +157,7 @@ def processEntry(module, l, dn, entry):
         d,e = r
         fst = str2dn(dn).pop(0)[0][0]
         diff = []
+        re1 = re.compile( b'^(\{[0-9]+\})', re.I )
         for a,v in e.items():
             if a not in entry.keys():
                 if a != fst:
@@ -168,11 +170,22 @@ def processEntry(module, l, dn, entry):
                     # by a DN with proper gidNumber and uidNumber
                     entry[a] = list(map ( partial(sasl_ext_re.sub, acl_sasl_ext)
                                         , entry[a] ))
-                # add explicit indices in the entry from the LDIF
-                entry[a] = list(map( (lambda x: b'{%d}%s' % x)
-                                   , zip(range(len(entry[a])),entry[a])))
-                if v != entry[a]:
-                    diff.append(( ldap.MOD_REPLACE, a, entry[a] ))
+                if a == fst:
+                    if len(entry[a]) != 1 or len(v) != 1:
+                        module.fail_json(msg=f'{len(entry[a])} != 1 or {len(v)} != 1')
+                    m1 = re1.match(v[0])
+                    if m1 is None:
+                        module.fail_json(msg=f'{v[0]} is not indexed??')
+                    else:
+                        entry[a][0] = m1.group(1) + entry[a][0]
+                    if entry[a] != v:
+                        module.fail_json(msg=f'{entry[a]} != {v}, use modrdn to modifify the RDN (unimplemented)')
+                else:
+                    # add explicit indices in the entry from the LDIF
+                    entry[a] = list(map( (lambda x: b'{%d}%s' % x)
+                                       , zip(range(len(entry[a])),entry[a])))
+                    if v != entry[a]:
+                        diff.append(( ldap.MOD_REPLACE, a, entry[a] ))
             elif v != entry[a]:
                 # for non-indexed attribute, we update values in the
                 # symmetric difference only
diff --git a/roles/LDAP-provider/files/etc/ldap/dynlist.ldif b/roles/LDAP-provider/files/etc/ldap/dynlist.ldif
new file mode 100644
index 0000000..df9a806
--- /dev/null
+++ b/roles/LDAP-provider/files/etc/ldap/dynlist.ldif
@@ -0,0 +1,26 @@
+# References:
+# - https://www.openldap.org/doc/admin24/overlays.html#Dynamic%20Lists
+# - man 5 slapo-dynlist
+
+# TODO bookworm (slapd 2.5)
+# “The dynlist overlay has been reworked with the 2.5 release to use a
+# consistent namespace as with other overlays. As a side-effect the
+# following cn=config parameters are deprecated and will be removed in a
+# future release: olcDlAttrSet is replaced with olcDynListAttrSet
+# olcDynamicList is replaced with olcDynListConfig”
+#
+# XXX that didn't solve the spaming from nextcloud's user_ldap plugin,
+# so we disable activity mails for “Your group memberships were
+# modified“ for now.  See also
+#
+#   https://github.com/nextcloud/server/issues/42195
+#   https://github.com/nextcloud/server/issues/29832
+#
+# TODO bookworm: use “dynlist-attrset groupOfURLs memberURL
+# member+memberOf@groupOfNames” to also populate memberOf
+#
+dn: olcOverlay=dynlist,olcDatabase={*}mdb,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcDynamicList
+olcOverlay: dynlist
+olcDlAttrSet: groupOfURLs memberURL member
diff --git a/roles/LDAP-provider/tasks/main.yml b/roles/LDAP-provider/tasks/main.yml
index 9bc227e..8d4e327 100644
--- a/roles/LDAP-provider/tasks/main.yml
+++ b/roles/LDAP-provider/tasks/main.yml
@@ -4,6 +4,15 @@
             target=etc/ldap/syncprov.ldif
             local=file
 
+#- name: Load dyngroup schema
+#  openldap: target=/etc/ldap/schema/dyngroup.ldif
+
+- name: Load and configure the dynlist overlay
+  openldap: module=dynlist
+            suffix=dc=fripost,dc=org
+            target=etc/ldap/dynlist.ldif
+            local=file
+
 ## XXX should be /etc/sasl2/slapd.conf ideally, but it doesn't work with
 ## Stretch, cf #211156 and #798462:
 ##   ldapsearch -LLLx -H ldapi:// -b "" -s base supportedSASLMechanisms
@@ -15,7 +24,4 @@
               owner=root group=root
               mode=0644
 
-#- name: Load dyngroup schema
-#  openldap: target=/etc/ldap/schema/dyngroup.ldif
-
 # TODO: authz constraint
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index a0ac705..f10bb33 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -538,9 +538,11 @@ olcAccess: to dn.exact="ou=groups,dc=fripost,dc=org"
     by dn.exact="cn=nextcloud,ou=services,dc=fripost,dc=org" tls_ssf=128 =rsd
     by users                                                             =0 break
 olcAccess: to dn.exact="cn=medlemmar,ou=groups,dc=fripost,dc=org"
+        attrs=entry,entryDN,entryUUID,objectClass,cn,description,member
     by dn.exact="cn=nextcloud,ou=services,dc=fripost,dc=org" tls_ssf=128 =rsd
     by users                                                             =0 break
 olcAccess: to dn.exact="cn=styrelse,ou=groups,dc=fripost,dc=org"
+        attrs=entry,entryDN,entryUUID,objectClass,cn,description,member
     by dn.exact="cn=nextcloud,ou=services,dc=fripost,dc=org" tls_ssf=128 =rsd
     by users                                                             =0 break
 #