Hi,
I installed a openldap latest 2.4.23 with a basic database setup:
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/rfc2307bis.schema include /etc/openldap/schema/yast.schema include /etc/openldap/schema/personaddon.schema
loglevel config stats stats2
pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args
modulepath /usr/lib/openldap/modules moduleload memberof.la moduleload refint.la
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to attrs=userPassword,userPKCS12 by self write by * auth
access to attrs=shadowLastChange by self write by * read
access to * by * read
database bdb suffix "dc=my-domain,dc=com" checkpoint 1024 5 cachesize 10000 rootdn "cn=Manager,dc=my-domain,dc=com" rootpw secret directory /var/lib/ldap index objectClass eq index uid,cn,mail,member,sn,manager eq
Then I included a standard memberof overlay config:
overlay memberof memberof-group-oc groupOfNames memberof-member-ad member memberof-memberof-ad memberOf memberof-refint true
This works fine (database population below). After that I configured a second memberof overlay like this:
overlay memberof memberof-group-oc inetOrgPerson memberof-member-ad manager memberof-memberof-ad owner memberof-refint true memberof-dangling error
I pointed from one inetOrgPerson object by attribute manager to another there this should be shown as "owner". For the latter I created a AUXILIARY objectclass to include the owner attribute to the inetOrgPerson object. But memberof-memberof-ad does not work - it is still memberOf and mot owner.
Here is the dump (I removed some attributes like creatersname etc.):
dn: dc=my-domain,dc=com objectClass: dcObject objectClass: domain dc: my-domain
dn: ou=humans,dc=my-domain,dc=com objectClass: organizationalUnit objectClass: top ou: humans
dn: ou=accounts,dc=my-domain,dc=com objectClass: organizationalUnit objectClass: top ou: accounts
dn: uid=fa770001,ou=accounts,dc=my-domain,dc=com gidNumber: 9000 objectClass: posixAccount objectClass: top objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person uidNumber: 9000 uid: fa770001 homeDirectory: /home/fa770001 cn: Max Mustermann sn: Mustermann manager: employeeNumber=0001,ou=humans,dc=my-domain,dc=com
dn: employeeNumber=0001,ou=humans,dc=my-domain,dc=com objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top objectClass: personAddon employeeNumber: 0001 sn: Mustermann cn: Max Mustermann memberOf: cn=users2,ou=groups,dc=my-domain,dc=com memberOf: uid=fa770002,ou=accounts,dc=my-domain,dc=com memberOf: uid=fa770001,ou=accounts,dc=my-domain,dc=com
dn: ou=groups,dc=my-domain,dc=com objectClass: organizationalUnit objectClass: top ou: groups
dn: cn=users1,ou=groups,dc=my-domain,dc=com objectClass: groupOfNames objectClass: top cn: users1 member: employeeNumber=0002,ou=humans,dc=my-domain,dc=com
dn: employeeNumber=0002,ou=humans,dc=my-domain,dc=com objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top objectClass: personAddon employeeNumber: 0002 sn: Hermann cn: Heinz Hermann memberOf: cn=users1,ou=groups,dc=my-domain,dc=com
dn: uid=fa770002,ou=accounts,dc=my-domain,dc=com gidNumber: 9001 objectClass: posixAccount objectClass: top objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person uidNumber: 9001 uid: fa770002 homeDirectory: /home/fa770002 sn: Hermann cn: Heinz Hermann manager: employeeNumber=0001,ou=humans,dc=my-domain,dc=com
dn: cn=users2,ou=groups,dc=my-domain,dc=com objectClass: groupOfNames objectClass: top cn: users2 member: employeeNumber=0001,ou=humans,dc=my-domain,dc=com
And here is a ldapsearch for employeeNumber=0001, who is a member of cn=users2,ou=groups and a manager in uid=fa770001ou=accounts and uid=fa770002,ou=accounts - but the two memberof overlays both effectively use the default memberof-memberof-ad memberOf attribute.
# 0001, humans, my-domain.com dn: employeeNumber=0001,ou=humans,dc=my-domain,dc=com objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top objectClass: personAddon employeeNumber: 0001 sn: Mustermann cn: Max Mustermann structuralObjectClass: inetOrgPerson entryUUID: ee628de6-8d8c-102f-9f77-3d86f090c509 creatorsName: cn=Manager,dc=my-domain,dc=com createTimestamp: 20101126094021Z memberOf: cn=users2,ou=groups,dc=my-domain,dc=com memberOf: uid=fa770002,ou=accounts,dc=my-domain,dc=com memberOf: uid=fa770001,ou=accounts,dc=my-domain,dc=com modifiersName: cn=Manager,dc=my-domain,dc=com entryCSN: 20101126112349.873160Z#000000#000#000000 modifyTimestamp: 20101126112349Z entryDN: employeeNumber=0001,ou=humans,dc=my-domain,dc=com subschemaSubentry: cn=Subschema hasSubordinates: FALSE
Is there something, I did wrong?
Marc