From f647dd2265bf4c5a2903325f628774eace2011ce Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Thu, 30 Jan 2025 00:58:13 +0100
Subject: LDAP: Load dynlist overlay.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Looks like nextcloud 26-29 broke something in the handling of dynamic
groups via memberURL attribute (and keeps repopulating the group —
possibly due to paging — thereby spamming members with “An administrator
removed you from group medlemmar” mails), so we expand on the slapd via
slapo-dynlist(5) instead.

This commit also fixes an issue with the openldap module where the index
of the leftmost attribute of the DN is not necessary {0}.
---
 lib/modules/openldap | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

(limited to 'lib/modules')

diff --git a/lib/modules/openldap b/lib/modules/openldap
index c09e791..f24a802 100644
--- a/lib/modules/openldap
+++ b/lib/modules/openldap
@@ -38,6 +38,7 @@ indexedAttributes = frozenset([
     'olcOverlay',
     'olcLimits',
     'olcAuthzRegexp',
+    'olcDlAttrSet',
     'olcDbConfig',
 ])
 
@@ -156,6 +157,7 @@ def processEntry(module, l, dn, entry):
         d,e = r
         fst = str2dn(dn).pop(0)[0][0]
         diff = []
+        re1 = re.compile( b'^(\{[0-9]+\})', re.I )
         for a,v in e.items():
             if a not in entry.keys():
                 if a != fst:
@@ -168,11 +170,22 @@ def processEntry(module, l, dn, entry):
                     # by a DN with proper gidNumber and uidNumber
                     entry[a] = list(map ( partial(sasl_ext_re.sub, acl_sasl_ext)
                                         , entry[a] ))
-                # add explicit indices in the entry from the LDIF
-                entry[a] = list(map( (lambda x: b'{%d}%s' % x)
-                                   , zip(range(len(entry[a])),entry[a])))
-                if v != entry[a]:
-                    diff.append(( ldap.MOD_REPLACE, a, entry[a] ))
+                if a == fst:
+                    if len(entry[a]) != 1 or len(v) != 1:
+                        module.fail_json(msg=f'{len(entry[a])} != 1 or {len(v)} != 1')
+                    m1 = re1.match(v[0])
+                    if m1 is None:
+                        module.fail_json(msg=f'{v[0]} is not indexed??')
+                    else:
+                        entry[a][0] = m1.group(1) + entry[a][0]
+                    if entry[a] != v:
+                        module.fail_json(msg=f'{entry[a]} != {v}, use modrdn to modifify the RDN (unimplemented)')
+                else:
+                    # add explicit indices in the entry from the LDIF
+                    entry[a] = list(map( (lambda x: b'{%d}%s' % x)
+                                       , zip(range(len(entry[a])),entry[a])))
+                    if v != entry[a]:
+                        diff.append(( ldap.MOD_REPLACE, a, entry[a] ))
             elif v != entry[a]:
                 # for non-indexed attribute, we update values in the
                 # symmetric difference only
-- 
cgit v1.2.3