LDAP cannot enable attribute memberOf

xuta · 02-03-2012, 12:24 PM

Here is my configuration

Code:

root@dev-ldap1:/etc/ldap/slapd.d/cn=config# cat cn\=module\{0\}.ldif 
dn: cn=module{0}
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb
olcModuleLoad: {1}memberof
structuralObjectClass: olcModuleList
entryUUID: c27bf3ce-e2dc-1030-9d8e-73630c24e03e
creatorsName: cn=admin,cn=config
createTimestamp: 20120203180054Z
entryCSN: 20120203180054.069719Z#000000#000#000000
modifiersName: cn=admin,cn=config
modifyTimestamp: 20120203180054Z
root@dev-ldap1:/etc/ldap/slapd.d/cn=config# cat olcDatabase\=\{1\}hdb/olcOverlay\=\{0\}memberof 
dn: olcOverlay={0}memberof
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {0}memberof
structuralObjectClass: olcMemberOf
entryUUID: a410ce98-3fdf-102e-82cf-59ccb6b4d60d
creatorsName: cn=config
createTimestamp: 20090927183056Z
olcMemberOfRefInt: TRUE
entryCSN: 20091009174548.503911Z#000000#000#000000
modifiersName: cn=admin,cn=config
modifyTimestamp: 20091009174548Z

root@dev-ldap1:/etc/ldap/slapd.d/cn=config#

And I try to add user like as member of group

Code:

root@dev-ldap1:~# cat vpn.group.ldif 
dn: cn=vpn,ou=Group,dc=abc,dc=com
objectClass: posixGroup
objectClass: top
cn: vpn
gidNumber: 5555
member: uid=haihq,ou=People,dc=abc,dc=com

root@dev-ldap1:~#

but error

Code:

root@dev-ldap1:~# slapadd -c -v -l vpn.group.ldif 
Entry (cn=vpn,ou=Group,dc=abc,dc=com), attribute 'member' not allowed
slapadd: dn="cn=vpn,ou=Group,dc=abc,dc=com" (line=1): (65) attribute 'member' not allowed
_#################### 100.00% eta   none elapsed            none fast!         
Closing DB...
root@dev-ldap1:~#

Please tell me what's wrong.
Thank you so much.

acid_kewpie · 02-03-2012, 04:14 PM

member isn't a valid attribute of posixGroup. Try memberUid http://ldap.akbkhome.com/index.php/o...html#memberUid

xuta · 02-03-2012, 09:10 PM

Quote:

Originally Posted by acid_kewpie

member isn't a valid attribute of posixGroup. Try memberUid http://ldap.akbkhome.com/index.php/o...html#memberUid

Thank you, acid_kewpie.

I tried to use attribute member with objectclass groupOfNames, Adding is ok.

Code:

root@dev-ldap1:~# cat ou2.ldif 
dn: ou=Group2,dc=abc,dc=com
objectclass: organizationalUnit
ou: Group2

dn: ou=People2,dc=abc,dc=com
objectclass: organizationalUnit
ou: People2

dn: uid=test1,ou=People2,dc=abc,dc=com
objectclass: account
uid: test1

dn: cn=testgroup,ou=Group2,dc=abc,dc=com
objectclass: groupOfNames
cn: testgroup
member: uid=test1,ou=People2,dc=abc,dc=com

root@dev-ldap1:~#

Show testgroup

Code:

root@dev-ldap1:~# ldapsearch -x cn=testgroup
# extended LDIF
#
# LDAPv3
# base <dc=abc,dc=com> (default) with scope subtree
# filter: cn=testgroup
# requesting: ALL
#

# testgroup, Group2, abc.com
dn: cn=testgroup,ou=Group2,dc=abc,dc=com
objectClass: groupOfNames
cn: testgroup
member: uid=test1,ou=People2,dc=abc,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
root@dev-ldap1:~#

But I cannot search with memberOf

Code:

root@dev-ldap1:~# ldapsearch -x uid=test1 memberOf
# extended LDIF
#
# LDAPv3
# base <dc=abc,dc=com> (default) with scope subtree
# filter: uid=test1
# requesting: memberOf 
#

# test1, People2, abc.com
dn: uid=test1,ou=People2,dc=abc,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
root@dev-ldap1:~#

What is wrong?

acid_kewpie · 02-04-2012, 04:42 AM

your ldifs and searches appear to have nothing to do with one another. What are you trying to achieve?? There is no mention of memberOf at all, outside of you saying it doesn't work. Why do you think it should work in the first place? Note though that your search there DOES work just fine, there is simply no data returned as there is apparently nothing using memberOf in the first place.

xuta · 02-04-2012, 08:11 AM

Quote:

Originally Posted by acid_kewpie

your ldifs and searches appear to have nothing to do with one another. What are you trying to achieve?? There is no mention of memberOf at all, outside of you saying it doesn't work. Why do you think it should work in the first place? Note though that your search there DOES work just fine, there is simply no data returned as there is apparently nothing using memberOf in the first place.

I didn't explain clearly enough my purpose.
I want to search User specifically to find which groups that user belong to.
I tried to do like http://www.openldap.org/doc/admin24/...%20Maintenance and http://serverfault.com/questions/732...penldap-server

and want to see memberOf in Search result, if test1 is member of group testgroup, like this

Code:

 # ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=test1)" -b dc=example,dc=com memberOf
...
 dn: uid=test1,ou=People,dc=example,dc=com
 memberOf: cn=testgroup,ou=Group,dc=example,dc=com

But my case, I don't see it.

acid_kewpie · 02-04-2012, 10:49 AM

yea, but there clearly IS no "memberOf" attribute to show. Are you expecting it to magically appear by virtue of the corresponding "member" attribute existing in the group? LDAP in itself doesn't do that, it doesn't put a context on these attributes, they are just strings of data, and don't mean anything until use use them accordingly.

xuta · 02-04-2012, 11:23 AM

Quote:

Originally Posted by acid_kewpie

yea, but there clearly IS no "memberOf" attribute to show. Are you expecting it to magically appear by virtue of the corresponding "member" attribute existing in the group? LDAP in itself doesn't do that, it doesn't put a context on these attributes, they are just strings of data, and don't mean anything until use use them accordingly.

I understand you mean,
I have to give data memberof directly to Users, like this .ldif file.

Code:

root@dev-ldap1:~# cat ou2.ldif 
dn: dc=abc,dc=com
objectclass: domain
dc: itim

dn: ou=Group2,dc=abc,dc=com
objectclass: organizationalUnit
ou: Group2

dn: ou=People2,dc=abc,dc=com
objectclass: organizationalUnit
ou: People2

dn: uid=test1,ou=People2,dc=abc,dc=com
objectclass: account
memberof: cn=testgroup,ou=Group2,dc=abc,dc=com
memberof: cn=vpn,ou=Group2,dc=abc,dc=com
uid: test1

dn: cn=testgroup,ou=Group2,dc=abc,dc=com
objectclass: groupOfNames
cn: testgroup
member: uid=test1,ou=People2,dc=abc,dc=com

dn: cn=vpn,ou=Group2,dc=abc,dc=com
objectClass: groupOfNames
cn: vpn
member: uid=test1,ou=People2,dc=abc,dc=com

root@dev-ldap1:~#

After that it works,

Code:

root@dev-ldap1:~# ldapsearch -x uid=test1 memberOf
# extended LDIF
#
# LDAPv3
# base <dc=abc,dc=com> (default) with scope subtree
# filter: uid=test1
# requesting: memberOf 
#

# test1, People2, abc.com
dn: uid=test1,ou=People2,dc=abc,dc=com
memberOf: cn=testgroup,ou=Group2,dc=abc,dc=com
memberOf: cn=vpn,ou=Group2,dc=abc,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
root@dev-ldap1:~#

Very cool.

Thank you so much, acid_kewpie.

bsduser07 · 03-12-2012, 01:30 PM

In my tests , I this overlay doesn't works properly !

maybe we need some help from "white ninja with the hair in eye from the north of china " techniques ?

and if we need to put manually the member of attrs, what is the purpose of this overlay????

cheers

acid_kewpie · 03-12-2012, 05:01 PM

please don't hijack other threads.

The use of an overlay / schema extension is to provide the framework of metadata to allow the attributes to exist correctly and in a controlled manner. it doesn't just add them for you, as that doesn't really make any sense. It gives you the ability to add them yourself. LDAP schemas are a LOT more complicated that you probably think they are.

alissonceolin · 03-13-2012, 07:57 AM

sorry I need post this to free my account.

---------- Post added 03-13-12 at 07:57 AM ----------

ok acid_kewpie

you can explain more this point?
becose, reading http://www.openldap.org/doc/admin24/overlays.html

"The memberof overlay updates an attribute (by default memberOf) whenever changes occur to the membership attribute (by default member) of entries of the objectclass (by default groupOfNames) configured to trigger updates.

Thus, it provides maintenance of the list of groups an entry is a member of, when usual maintenance of groups is done by modifying the members on the group entry."

this make me think that the memberof overlay will update this attributes automatically in previous accord with http://linux.die.net/man/5/slapo-memberof

reading this another post http://serverfault.com/questions/732...penldap-server , we can see the same example, and the autor not add previouslly memberof attribute at the user object.

Sorry, it I am insistent with this, but I wish to use this resource.

bsduser07 · 03-13-2012, 08:38 AM

Quote:

Originally Posted by acid_kewpie

please don't hijack other threads.

The use of an overlay / schema extension is to provide the framework of metadata to allow the attributes to exist correctly and in a controlled manner. it doesn't just add them for you, as that doesn't really make any sense. It gives you the ability to add them yourself. LDAP schemas are a LOT more complicated that you probably think they are.

Dear moderator, I expect other contributions about this issue, from other people who facing the same problem.
Your reply to my post don help anything. Could you please , if not know about this issue , leave the tread for other real contributions.

salute

acid_kewpie · 03-13-2012, 09:02 AM

Quote:

Originally Posted by bsduser07

Dear moderator, I expect other contributions about this issue, from other people who facing the same problem.
Your reply to my post don help anything. Could you please , if not know about this issue , leave the tread for other real contributions.

salute

I did answer your question as I understood it. But it looks like you would benefit from learning how to use forums more effectively.

alissonceolin · 03-13-2012, 09:58 AM

if I need manage manually the attribut memberof at user what I would use the memeberOf.

I remove the overlay, and insert manually, and this works.

userX@pc42818:~/LDAP$ ldapsearch -LL -x -b dc=example,dc=com "(uid=test1)" memberOf
version: 1

dn: uid=test1,ou=People,dc=example,dc=com
memberOf: cn=testgroup,ou=Group,dc=example,dc=com

but this not sense, if it is true, what the real advantage to use the overlay memberOf?
if somebody know, please tell me.

acid_kewpie · 03-13-2012, 10:59 AM

the real advantage is the bidirectional availability of data. It's taking these variables, the member attribute in a group, and the memberOf attribute on a user object. These fields are just arbitrary items of data by default, they don't *mean* anything at all. The overlay makes them become associated with one another, and updates the peer object's attribute automatically, meaning you have different ways to manipulate the data.