LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 02-03-2012, 01:24 PM   #1
xuta
LQ Newbie
 
Registered: Apr 2011
Location: Hanoi, Vietnam
Distribution: Ubuntu, OpenSuSE, Debian, Gentoo
Posts: 24

Rep: Reputation: 0
LDAP cannot enable attribute memberOf


Here is my configuration
Code:
root@dev-ldap1:/etc/ldap/slapd.d/cn=config# cat cn\=module\{0\}.ldif 
dn: cn=module{0}
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb
olcModuleLoad: {1}memberof
structuralObjectClass: olcModuleList
entryUUID: c27bf3ce-e2dc-1030-9d8e-73630c24e03e
creatorsName: cn=admin,cn=config
createTimestamp: 20120203180054Z
entryCSN: 20120203180054.069719Z#000000#000#000000
modifiersName: cn=admin,cn=config
modifyTimestamp: 20120203180054Z
root@dev-ldap1:/etc/ldap/slapd.d/cn=config# cat olcDatabase\=\{1\}hdb/olcOverlay\=\{0\}memberof 
dn: olcOverlay={0}memberof
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {0}memberof
structuralObjectClass: olcMemberOf
entryUUID: a410ce98-3fdf-102e-82cf-59ccb6b4d60d
creatorsName: cn=config
createTimestamp: 20090927183056Z
olcMemberOfRefInt: TRUE
entryCSN: 20091009174548.503911Z#000000#000#000000
modifiersName: cn=admin,cn=config
modifyTimestamp: 20091009174548Z

root@dev-ldap1:/etc/ldap/slapd.d/cn=config#
And I try to add user like as member of group
Code:
root@dev-ldap1:~# cat vpn.group.ldif 
dn: cn=vpn,ou=Group,dc=abc,dc=com
objectClass: posixGroup
objectClass: top
cn: vpn
gidNumber: 5555
member: uid=haihq,ou=People,dc=abc,dc=com

root@dev-ldap1:~#
but error

Code:
root@dev-ldap1:~# slapadd -c -v -l vpn.group.ldif 
Entry (cn=vpn,ou=Group,dc=abc,dc=com), attribute 'member' not allowed
slapadd: dn="cn=vpn,ou=Group,dc=abc,dc=com" (line=1): (65) attribute 'member' not allowed
_#################### 100.00% eta   none elapsed            none fast!         
Closing DB...
root@dev-ldap1:~#
Please tell me what's wrong.
Thank you so much.
 
Old 02-03-2012, 05:14 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
member isn't a valid attribute of posixGroup. Try memberUid http://ldap.akbkhome.com/index.php/o...html#memberUid
 
1 members found this post helpful.
Old 02-03-2012, 10:10 PM   #3
xuta
LQ Newbie
 
Registered: Apr 2011
Location: Hanoi, Vietnam
Distribution: Ubuntu, OpenSuSE, Debian, Gentoo
Posts: 24

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by acid_kewpie View Post
member isn't a valid attribute of posixGroup. Try memberUid http://ldap.akbkhome.com/index.php/o...html#memberUid
Thank you, acid_kewpie.

I tried to use attribute member with objectclass groupOfNames, Adding is ok.
Code:
root@dev-ldap1:~# cat ou2.ldif 
dn: ou=Group2,dc=abc,dc=com
objectclass: organizationalUnit
ou: Group2

dn: ou=People2,dc=abc,dc=com
objectclass: organizationalUnit
ou: People2

dn: uid=test1,ou=People2,dc=abc,dc=com
objectclass: account
uid: test1

dn: cn=testgroup,ou=Group2,dc=abc,dc=com
objectclass: groupOfNames
cn: testgroup
member: uid=test1,ou=People2,dc=abc,dc=com

root@dev-ldap1:~#
Show testgroup
Code:
root@dev-ldap1:~# ldapsearch -x cn=testgroup
# extended LDIF
#
# LDAPv3
# base <dc=abc,dc=com> (default) with scope subtree
# filter: cn=testgroup
# requesting: ALL
#

# testgroup, Group2, abc.com
dn: cn=testgroup,ou=Group2,dc=abc,dc=com
objectClass: groupOfNames
cn: testgroup
member: uid=test1,ou=People2,dc=abc,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
root@dev-ldap1:~#
But I cannot search with memberOf
Code:
root@dev-ldap1:~# ldapsearch -x uid=test1 memberOf
# extended LDIF
#
# LDAPv3
# base <dc=abc,dc=com> (default) with scope subtree
# filter: uid=test1
# requesting: memberOf 
#

# test1, People2, abc.com
dn: uid=test1,ou=People2,dc=abc,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
root@dev-ldap1:~#
What is wrong?
 
Old 02-04-2012, 05:42 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
your ldifs and searches appear to have nothing to do with one another. What are you trying to achieve?? There is no mention of memberOf at all, outside of you saying it doesn't work. Why do you think it should work in the first place? Note though that your search there DOES work just fine, there is simply no data returned as there is apparently nothing using memberOf in the first place.
 
1 members found this post helpful.
Old 02-04-2012, 09:11 AM   #5
xuta
LQ Newbie
 
Registered: Apr 2011
Location: Hanoi, Vietnam
Distribution: Ubuntu, OpenSuSE, Debian, Gentoo
Posts: 24

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by acid_kewpie View Post
your ldifs and searches appear to have nothing to do with one another. What are you trying to achieve?? There is no mention of memberOf at all, outside of you saying it doesn't work. Why do you think it should work in the first place? Note though that your search there DOES work just fine, there is simply no data returned as there is apparently nothing using memberOf in the first place.
I didn't explain clearly enough my purpose.
I want to search User specifically to find which groups that user belong to.
I tried to do like http://www.openldap.org/doc/admin24/...%20Maintenance and http://serverfault.com/questions/732...penldap-server

and want to see memberOf in Search result, if test1 is member of group testgroup, like this
Code:
 # ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=test1)" -b dc=example,dc=com memberOf
...
 dn: uid=test1,ou=People,dc=example,dc=com
 memberOf: cn=testgroup,ou=Group,dc=example,dc=com
But my case, I don't see it.

Last edited by xuta; 02-04-2012 at 09:35 AM.
 
Old 02-04-2012, 11:49 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
yea, but there clearly IS no "memberOf" attribute to show. Are you expecting it to magically appear by virtue of the corresponding "member" attribute existing in the group? LDAP in itself doesn't do that, it doesn't put a context on these attributes, they are just strings of data, and don't mean anything until use use them accordingly.
 
1 members found this post helpful.
Old 02-04-2012, 12:23 PM   #7
xuta
LQ Newbie
 
Registered: Apr 2011
Location: Hanoi, Vietnam
Distribution: Ubuntu, OpenSuSE, Debian, Gentoo
Posts: 24

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by acid_kewpie View Post
yea, but there clearly IS no "memberOf" attribute to show. Are you expecting it to magically appear by virtue of the corresponding "member" attribute existing in the group? LDAP in itself doesn't do that, it doesn't put a context on these attributes, they are just strings of data, and don't mean anything until use use them accordingly.
I understand you mean,
I have to give data memberof directly to Users, like this .ldif file.
Code:
root@dev-ldap1:~# cat ou2.ldif 
dn: dc=abc,dc=com
objectclass: domain
dc: itim

dn: ou=Group2,dc=abc,dc=com
objectclass: organizationalUnit
ou: Group2

dn: ou=People2,dc=abc,dc=com
objectclass: organizationalUnit
ou: People2

dn: uid=test1,ou=People2,dc=abc,dc=com
objectclass: account
memberof: cn=testgroup,ou=Group2,dc=abc,dc=com
memberof: cn=vpn,ou=Group2,dc=abc,dc=com
uid: test1

dn: cn=testgroup,ou=Group2,dc=abc,dc=com
objectclass: groupOfNames
cn: testgroup
member: uid=test1,ou=People2,dc=abc,dc=com

dn: cn=vpn,ou=Group2,dc=abc,dc=com
objectClass: groupOfNames
cn: vpn
member: uid=test1,ou=People2,dc=abc,dc=com

root@dev-ldap1:~#
After that it works,
Code:
root@dev-ldap1:~# ldapsearch -x uid=test1 memberOf
# extended LDIF
#
# LDAPv3
# base <dc=abc,dc=com> (default) with scope subtree
# filter: uid=test1
# requesting: memberOf 
#

# test1, People2, abc.com
dn: uid=test1,ou=People2,dc=abc,dc=com
memberOf: cn=testgroup,ou=Group2,dc=abc,dc=com
memberOf: cn=vpn,ou=Group2,dc=abc,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
root@dev-ldap1:~#
Very cool.

Thank you so much, acid_kewpie.
 
Old 03-12-2012, 02:30 PM   #8
bsduser07
LQ Newbie
 
Registered: Mar 2012
Posts: 2

Rep: Reputation: Disabled
about this overlay

In my tests , I this overlay doesn't works properly !

maybe we need some help from "white ninja with the hair in eye from the north of china " techniques ?

and if we need to put manually the member of attrs, what is the purpose of this overlay????



cheers
 
Old 03-12-2012, 06:01 PM   #9
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
please don't hijack other threads.

The use of an overlay / schema extension is to provide the framework of metadata to allow the attributes to exist correctly and in a controlled manner. it doesn't just add them for you, as that doesn't really make any sense. It gives you the ability to add them yourself. LDAP schemas are a LOT more complicated that you probably think they are.
 
Old 03-13-2012, 08:57 AM   #10
alissonceolin
LQ Newbie
 
Registered: Mar 2012
Posts: 2

Rep: Reputation: Disabled
sorry I need post this to free my account.

---------- Post added 03-13-12 at 07:57 AM ----------

ok acid_kewpie

you can explain more this point?
becose, reading http://www.openldap.org/doc/admin24/overlays.html

"The memberof overlay updates an attribute (by default memberOf) whenever changes occur to the membership attribute (by default member) of entries of the objectclass (by default groupOfNames) configured to trigger updates.

Thus, it provides maintenance of the list of groups an entry is a member of, when usual maintenance of groups is done by modifying the members on the group entry."

this make me think that the memberof overlay will update this attributes automatically in previous accord with http://linux.die.net/man/5/slapo-memberof

reading this another post http://serverfault.com/questions/732...penldap-server , we can see the same example, and the autor not add previouslly memberof attribute at the user object.

Sorry, it I am insistent with this, but I wish to use this resource.
 
Old 03-13-2012, 09:38 AM   #11
bsduser07
LQ Newbie
 
Registered: Mar 2012
Posts: 2

Rep: Reputation: Disabled
reply

Quote:
Originally Posted by acid_kewpie View Post
please don't hijack other threads.

The use of an overlay / schema extension is to provide the framework of metadata to allow the attributes to exist correctly and in a controlled manner. it doesn't just add them for you, as that doesn't really make any sense. It gives you the ability to add them yourself. LDAP schemas are a LOT more complicated that you probably think they are.
Dear moderator, I expect other contributions about this issue, from other people who facing the same problem.
Your reply to my post don help anything. Could you please , if not know about this issue , leave the tread for other real contributions.

salute
 
Old 03-13-2012, 10:02 AM   #12
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
Quote:
Originally Posted by bsduser07 View Post
Dear moderator, I expect other contributions about this issue, from other people who facing the same problem.
Your reply to my post don help anything. Could you please , if not know about this issue , leave the tread for other real contributions.

salute
I did answer your question as I understood it. But it looks like you would benefit from learning how to use forums more effectively.
 
Old 03-13-2012, 10:58 AM   #13
alissonceolin
LQ Newbie
 
Registered: Mar 2012
Posts: 2

Rep: Reputation: Disabled
if I need manage manually the attribut memberof at user what I would use the memeberOf.

I remove the overlay, and insert manually, and this works.

userX@pc42818:~/LDAP$ ldapsearch -LL -x -b dc=example,dc=com "(uid=test1)" memberOf
version: 1

dn: uid=test1,ou=People,dc=example,dc=com
memberOf: cn=testgroup,ou=Group,dc=example,dc=com

but this not sense, if it is true, what the real advantage to use the overlay memberOf?
if somebody know, please tell me.
 
Old 03-13-2012, 11:59 AM   #14
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
the real advantage is the bidirectional availability of data. It's taking these variables, the member attribute in a group, and the memberOf attribute on a user object. These fields are just arbitrary items of data by default, they don't *mean* anything at all. The overlay makes them become associated with one another, and updates the peer object's attribute automatically, meaning you have different ways to manipulate the data.
 
  


Reply

Tags
ldap


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] LDAP 'description' attribute access. sheelavantar Linux - Server 6 09-06-2011 10:00 PM
How do I modify 1 of my ldap attribute if I have 2 same attribute under 1 entry? chinho Programming 1 01-31-2011 04:37 AM
samba4: LDAP memberOf: attribute type undefined touzeaud Linux - Server 10 04-13-2009 08:03 PM
LDAP attribute aravind1024004 Linux - Server 1 04-12-2008 02:29 PM
how to define manager or reporting to attribute in qmail-ldap Sanvi Bansal Linux - Server 1 02-09-2007 03:56 AM


All times are GMT -5. The time now is 09:43 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration