Justin Edmands wrote:
> Certainly new to migrations of LDAP. I migrated our old setup from
> OpenLDAP to
> 389 Directory Server. When using the "id" command on an LDAP client, it
> returns uid,gid, and one group. It for some reason does not show all of
> actual groups that the user is associated with. What is set to return
> values and what setting ensures they are properly mapped from OpenLDAP to
> ### OpenLDAP example: ###
> [root openldapclient ~]# id jedmands
> uid=9999(jedmands) gid=100(users)
> ### 389 DS Example: ###
> [root 389dsclient ~]# id jedmands
> uid=9999(jedmands) gid=100(users) groups=100(users)
> Posted this to the 389-users list, nothing received.
> We are using the memberOf plugin for 389DS.
> I don't know too much about the openldap environment. I moved to CentOS 6
> figured DS was the way to go with SSL/TLS
I'm pretty sure you figured wrong. OpenLDAP actually works, implements the
LDAP RFCs correctly, and outperforms all other LDAP servers. Compared to
389DS, OpenLDAP bulk-loads data 2x faster, uses 10% less space on disk,
answers search queries 4x faster, and uses 50% less RAM to do it. (Also
answers Binds 6x faster, and performs updates 11x faster.) 389DS is a
hulking pile of obsolete code; the only reason it still exists today is
because RedHat has support contracts for RedHatDS from customers too
ignorant to realize how bad the product they've paid for actually is.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP
Thank god you got that off of your chest. the solution is:
ldap_group_member = memberUid
ldap_group_search_base = ou=Group,dc=mysite,dc=com
after flushing cache, the clients see the proper groups.