Hi,
I'm playing with memberof overlay. For my tests, I use the default database (numbered 1) from slapd installation with suffix dc=nodomain. The tests are running on debian jessie 8.2 and slapd version 2.4.40+dfsg-1
Activating the module in cn=module entry and activating the overlay for the database, I have something that works like (I think) it should. I mean adding a user (attribute member) in a group creates an attribute memberOf for the user and deleting a user from the group deletes the user's memberOf attribute. That's great.
There is nothing special configured.
# Entrée 1: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config objectclass: olcConfig objectclass: olcOverlayConfig objectclass: olcMemberOf objectclass: top olcoverlay: {0}memberof
Reading the man page, I saw memberof-refint option. From what I understand, when set to true, you can alter the user's "is member of" attribute and that would be reflected in the group's "member" attribute. Right ?
But, the member attribute is an operational attribute and can't be modified. So I started to search for an alternative and found the eduMember schema from here https://spaces.internet2.edu/display/macedir/OpenLDAP+eduMember. Once added to the installation I could use it for objects. It adds isMemberOf and hasMember attributes that can be setable for users and groups. But can't make it work with memberof overlay. When trying to add isMemberOf as memberof-memberof-ad it was rejected with
member attribute=”isMemberOf” must either have DN (1.3.6.1.4.1.1466.115.121.1.12) or nameUID (1.3.6.1.4.1.1466.115.121.1.34) syntax
And the same error was reported with hasMember as memberof-member-ad.
To make it work together I modified the attribute's definitions and reimported them to openldap. So I can now set isMemberOf as memberof-memberof-ad and the same for hasMember as memberof-member-ad.
The configuration then was like this
# Entrée 1: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config objectclass: olcConfig objectclass: olcOverlayConfig objectclass: olcMemberOf objectclass: top olcmemberofmemberofad: isMemberOf olcoverlay: {0}memberof
Now that works like (I think) it should. I mean adding a user (attribute member) in a group creates an attribute isMemberOf for the user and deleting a user from the group deletes the user's isMemberOf attribute. That's great.
isMemberOf is a modifiable attribute so it's time to test the memberof-refint and set it to TRUE
# Entrée 1: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config objectclass: olcConfig objectclass: olcOverlayConfig objectclass: olcMemberOf objectclass: top olcmemberofmemberofad: isMemberOf olcmemberofrefint: TRUE olcoverlay: {0}memberof
And this is where things do not work. I mean what was working before is still working. If I add a member in a group an atttribute isMemberOf is created for the user. But if I add a second attribute isMemberOf with a second group, no new member is created on the second group. And if I delete the attribute isMemberOf from the user's entry, it is still visible on the group.
Does anybody have any idea why the modifications made on the user (with the deletion of isMemberOf) are not applied to the group ? Is there something I'm doing wrong ?
Thanks.