Hi all,

Am trying to get the memberOf overlay attribute working with openLDAP.

I need to authenticate to a Cisco ASA 5510 and set up group mapping policy.

I've been round the houses quite a few times and got pretty close but no Marlboro Light (let alone a cigar).

My slapd.conf looks like this:

# /etc/ldap/slapd.conf
#

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/samba.schema
include         /etc/ldap/schema/misc.schema

pidfile         /var/run/slapd/slapd.pid

argsfile        /var/run/slapd/slapd.args

modulepath      /usr/lib/ldap

moduleload      back_bdb

#syncprov added by PT 2009-01-19
moduleload      syncprov

# cja/ess/2010.03.29 - added memberOf overlay
moduleload memberof.la
overlay memberof

sizelimit 500

tool-threads 1

backend         bdb

database        bdb

suffix          "dc=essence"

rootdn          "cn=admin,dc=essence"
rootpw  xxxxxxxxxxxxxxxxxxxxxxx

directory       "/var/lib/ldap"

dbconfig set_cachesize 0 2097152 0

dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500

index           objectClass,entryCSN,entryUUID eq

lastmod         on

checkpoint      512 30

replogfile      /var/lib/ldap/replog

#syncprov added by PT 2009-01-19
overlay syncprov
syncprov-checkpoint 10 5
syncprov-sessionlog 100

access to attrs=userPassword,sambaNTPassword,sambaLMPassword
        by dn="cn=admin,dc=essence" write
        by dn="cn=samba,dc=essence" write
        by dn="cn=guest,dc=essence" read
        by anonymous auth
        by self write
        by * none

access to dn.base="" by * read

access to *
        by dn="cn=admin,dc=essence" write
        by dn="cn=samba,dc=essence" write
        by * read

# end

I've added an LDIF as follows:

dn: cn=vpnusers,ou=Groups,dc=essence
objectclass: groupOfNames
cn: vpnusers
member: userid=chris.alavoine,ou=Users,dc=essence

Which seems to enter ok. 

I'm using phpldapadmin to look at my directory. The new group "vpnusers" shows up ok and if I do a:

ldapsearch -x -b "dc=essence" '(uid=chris.alavoine)' memberOf

I get:

# chris.alavoine, Users, essence
dn: uid=chris.alavoine,ou=Users,dc=essence
memberOf: cn=vpnusers,ou=Groups,dc=essence

Unfortunately, when I try and query this information from the Cisco it's not picking up on the memberOf attribute. I've set up attribute mapping on the Cisco which allows me to convert the memberOf attribute into something readable by the Cisco but it's not getting that far.

I'm using Ubuntu 8.04 and openLDAP 2.4.9

Any help much appreciated.

c:)


--
ACS (Alavoine Computer Services)
Chris Alavoine
mob +44 (0)7724 710 730
www.alavoinecs.co.uk