3

I've been trying 2 days not to get memberof overlay of openldap to work and give some actual results. My database config:

database    bdb
suffix      "dc=example,dc=net"
checkpoint  1024 15
rootdn      "cn=root,dc=exmple,dc=net"
rootpw          {SSHA}stuffffffff

directory   /var/lib/ldap

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

overlay memberof

Then 

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/

Restart slapd and create test user and test group. Then ldap search to see the result:

[root@sso openldap]#  ldapsearch -W -H ldapi:/// "(uid=test123)" -b dc=example,dc=net memberOf
Enter LDAP Password: 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=net> with scope subtree
# filter: (uid=test123)
# requesting: memberOf 
#

# search result
search: 3
result: 0 Success

# numResponses: 1

And still not showing the memberof attributes. According to the openldap documentation it should be exactly that simple - add overlay memberof to the slapd.conf and it should work. Any idea? Thanks.

Kaloyan Georgiev Mehandzhiyski
  • 33
  • 1
  • 4

2 Answers2

2

I know this is an old thread, but maybe this will help somebody else. I am a noob that recently installed and used the memberOf overlay on an Openldap 2.4.31 (Ubuntu 14.04 LTS) server. The most important things I learned were :

  • Since OpenLDAP version 2.3, configuration is done dynamically (OLC) using Directory Information Trees, optionally making the static slapd.conf method obsolete. Use it.

  • Add the memberof and refint overlays as explained here

  • EDIT: Keep in mind this overlay works with the (among others) groupOfNames ObjectClass and not work with the standard posixGroup ObjectClass.

ededed
  • 339
  • 3
  • 7
  • 1
    The point about using `groupOfNames` did the trick for me - the overlay had been installed and groups (using `posixGroup`) had been created, but no users had the 'memberOf' attribute. Recreating the groups as 'groupOfNames' and then adding users to them worked. – sonicwave Aug 30 '16 at 11:47
  • Final point is false. It works with whatever object class you configure it to work with. I have been using it with `organizationalRole` and `groupOfUniqueNames` for nearly ten years. – user207421 Jan 14 '18 at 16:51
-1

You don't state whether you added the new user to the new group, but in any case you've loaded the memberof overlay but not configured it. Unless you're relying on the default configuration, whatever that is, you need to confifure three or four aspects. See man slapo-memberof for details, I'm not going to repeat them here.

user207421
  • 305,947
  • 44
  • 307
  • 483