From f647dd2265bf4c5a2903325f628774eace2011ce Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 30 Jan 2025 00:58:13 +0100 Subject: LDAP: Load dynlist overlay. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Looks like nextcloud 26-29 broke something in the handling of dynamic groups via memberURL attribute (and keeps repopulating the group — possibly due to paging — thereby spamming members with “An administrator removed you from group medlemmar” mails), so we expand on the slapd via slapo-dynlist(5) instead. This commit also fixes an issue with the openldap module where the index of the leftmost attribute of the DN is not necessary {0}. --- roles/LDAP-provider/files/etc/ldap/dynlist.ldif | 26 +++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 roles/LDAP-provider/files/etc/ldap/dynlist.ldif (limited to 'roles/LDAP-provider/files/etc/ldap') diff --git a/roles/LDAP-provider/files/etc/ldap/dynlist.ldif b/roles/LDAP-provider/files/etc/ldap/dynlist.ldif new file mode 100644 index 0000000..df9a806 --- /dev/null +++ b/roles/LDAP-provider/files/etc/ldap/dynlist.ldif @@ -0,0 +1,26 @@ +# References: +# - https://www.openldap.org/doc/admin24/overlays.html#Dynamic%20Lists +# - man 5 slapo-dynlist + +# TODO bookworm (slapd 2.5) +# “The dynlist overlay has been reworked with the 2.5 release to use a +# consistent namespace as with other overlays. As a side-effect the +# following cn=config parameters are deprecated and will be removed in a +# future release: olcDlAttrSet is replaced with olcDynListAttrSet +# olcDynamicList is replaced with olcDynListConfig” +# +# XXX that didn't solve the spaming from nextcloud's user_ldap plugin, +# so we disable activity mails for “Your group memberships were +# modified“ for now. See also +# +# https://github.com/nextcloud/server/issues/42195 +# https://github.com/nextcloud/server/issues/29832 +# +# TODO bookworm: use “dynlist-attrset groupOfURLs memberURL +# member+memberOf@groupOfNames” to also populate memberOf +# +dn: olcOverlay=dynlist,olcDatabase={*}mdb,cn=config +objectClass: olcOverlayConfig +objectClass: olcDynamicList +olcOverlay: dynlist +olcDlAttrSet: groupOfURLs memberURL member -- cgit v1.2.3