Update bitnami/openldap/README.md (#75937)

pduveau · web-flow · commit 9b45607a3e4f · 2025-01-08T09:56:14.000+01:00
* Update bitnami/openldap/README.md

Add documentation for OpenLdap Dyn List and Member Of overlays consideration while using msuser schema

Signed-off-by: Philippe Duveau &lt;pduvax@gmail.com&gt;
diff --git a/bitnami/openldap/README.md b/bitnami/openldap/README.md
@@ -235,6 +235,42 @@ Check the official page [OpenLDAP, Overlays, Access Logging](https://www.openlda
 
 Check the official page [OpenLDAP, Overlays, Sync Provider](https://www.openldap.org/doc/admin26/overlays.html#Sync%20Provider) for detailed configuration information.
 
+#### Dynamic List or Member Of
+
+The overlays `dynlist` and `memberof` both require the operational `memberOf` attribute to be present in the loaded schema. During initialization, a check is performed for the presence of this attribute; if it is absent, it is created programmatically.
+
+At the same time, the `msuser` schema declares the same attribute. If both the schema and at least one of the overlays are required, a conflict may arise depending on the load order, such as whether the schema is loaded before or after the overlays. If the overlays are loaded first, the process stops and raises a `Duplicate attribute` error.
+
+In a standard {{ .Name }} installation (deb or rpm), its configuration is stored in the main file, which may include another one. In this case, the order is determined by the order of directives.
+
+For configuration flexibility, the container-based approach relies on a file tree structure rather than a master file with includes. To ensure the correct order, the file tree must be read deterministically. Fortunately, Linux sorts folder content using alphanumeric order. This allows overlay loading after the schema by using a keyword that is after `schema` in alphanumeric sorting (i.e. `cn=z-module{N}` will be loaded after `cn=schema` as they are both children of `cn=config`). Doing so, the configuration merging `msuser` schema and `dynlist` (or `memberof`) will load without errors.
+
+IMPORTANT: The `dynlist` requires the schema `dyngroup`. This can be done by adding it to the list of schemas to load through `LDAP_EXTRA_SCHEMAS`.
+
+The following example shows how to declare the module `dynlist` with the support of dynamic (groupOfUrls) and static (groupOfNames) groups. The `olcDatabase={N}mdb` has to be adjusted to the target configuration.
+
+```bash
+ldapadd -D "cn=admin,cn=config" -w "configpassword" <<EOF
+dn: cn=z-module,cn=config
+objectClass: olcModuleList
+cn: z-module
+olcModuleLoad: dynlist.so
+olcModulePath: /opt/bitnami/openldap/lib/openldap
+
+dn: olcOverlay=dynlist,olcDatabase={N}mdb,cn=config
+objectClass: olcConfig
+objectClass: olcDynListConfig
+objectClass: olcOverlayConfig
+objectClass: top
+olcOverlay: dynlist
+olcDynListAttrSet: groupOfUrls memberURL member+memberOf@groupOfNames
+EOF
+```
+
+This example is compatible with or without the usage of the `msuser` schema.
+
+Check the official page [OpenLDAP, Overlays, Dynamic Lists](https://www.openldap.org/doc/admin26/overlays.html#Dynamic%20Lists) for detailed configuration information.
+
 ### Securing OpenLDAP traffic
 
 OpenLDAP clients and servers are capable of using the Transport Layer Security (TLS) framework to provide integrity and confidentiality protections and to support LDAP authentication using the SASL EXTERNAL mechanism. Should you desire to enable this optional feature, you may use the following environment variables to configure the application:
