Hi all,
Am trying to get the memberOf overlay attribute working with openLDAP.
I need to authenticate to a Cisco ASA 5510 and set up group mapping policy.
I've been round the houses quite a few times and got pretty close but no Marlboro Light (let alone a cigar).
My slapd.conf looks like this:
# /etc/ldap/slapd.conf #
# Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema include /etc/ldap/schema/misc.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
modulepath /usr/lib/ldap
moduleload back_bdb
#syncprov added by PT 2009-01-19 moduleload syncprov
# cja/ess/2010.03.29 - added memberOf overlay moduleload memberof.la overlay memberof
sizelimit 500
tool-threads 1
backend bdb
database bdb
suffix "dc=essence"
rootdn "cn=admin,dc=essence" rootpw xxxxxxxxxxxxxxxxxxxxxxx
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500
index objectClass,entryCSN,entryUUID eq
lastmod on
checkpoint 512 30
replogfile /var/lib/ldap/replog
#syncprov added by PT 2009-01-19 overlay syncprov syncprov-checkpoint 10 5 syncprov-sessionlog 100
access to attrs=userPassword,sambaNTPassword,sambaLMPassword by dn="cn=admin,dc=essence" write by dn="cn=samba,dc=essence" write by dn="cn=guest,dc=essence" read by anonymous auth by self write by * none
access to dn.base="" by * read
access to * by dn="cn=admin,dc=essence" write by dn="cn=samba,dc=essence" write by * read
# end
I've added an LDIF as follows:
dn: cn=vpnusers,ou=Groups,dc=essence objectclass: groupOfNames cn: vpnusers member: userid=chris.alavoine,ou=Users,dc=essence
Which seems to enter ok.
I'm using phpldapadmin to look at my directory. The new group "vpnusers" shows up ok and if I do a:
ldapsearch -x -b "dc=essence" '(uid=chris.alavoine)' memberOf
I get:
# chris.alavoine, Users, essence dn: uid=chris.alavoine,ou=Users,dc=essence memberOf: cn=vpnusers,ou=Groups,dc=essence
Unfortunately, when I try and query this information from the Cisco it's not picking up on the memberOf attribute. I've set up attribute mapping on the Cisco which allows me to convert the memberOf attribute into something readable by the Cisco but it's not getting that far.
I'm using Ubuntu 8.04 and openLDAP 2.4.9
Any help much appreciated.
c:)