Hi everyone,
i am trying to set up a OpenLDAP (2.6.7 in a Ubuntu noble container) with the memberOf Overlay activated. Adding the users and groups seems to work fine but i was not yet able to activate the overlay and query the memberships of a given user.
I am using the following ldif to load the overlay:
dn: cn=module,cn=config cn: module objectClass: olcModuleList olcModuleLoad: memberof olcModulePath: /usr/lib/ldap
dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcMemberOf objectClass: olcOverlayConfig objectClass: top olcOverlay: memberof olcMemberOfDangling: ignore olcMemberOfRefInt: TRUE olcMemberOfGroupOC: groupOfNames olcMemberOfMemberAD: member olcMemberOfMemberOfAD: memberOf
The config is added using "slapadd -n0 -l /path/to/ldif", after that i add the users using slapadd. To check if the overlay works i am trying to query the memberOf attribute using ldapvi: "ldapvi --discover "(uid=exampleUid)" memberOf"
Does anyone has a hint for me what i am doing wrong?
Best regards, Alexander
--On Wednesday, August 7, 2024 10:05 AM +0000 awoestmann@intevation.de wrote:
The config is added using "slapadd -n0 -l /path/to/ldif", after that i add the users using slapadd.
The memberof Overlay interecepts ADD and MOD operations on a running slapd instance. If you add users via slapadd, it will not be able to intercept those operations. You need to use ldapadd/ldapmodify operations against a running slapd instance for memberof to take effect.
--Quanah
That indeed seemed to be the problem. With the users added to a running instance everything is working now.
Thank you very much.
Alexander
Am 07.08.24 um 16:35 schrieb Quanah Gibson-Mount:
--On Wednesday, August 7, 2024 10:05 AM +0000 awoestmann@intevation.de wrote:
The config is added using "slapadd -n0 -l /path/to/ldif", after that i add the users using slapadd.
The memberof Overlay interecepts ADD and MOD operations on a running slapd instance. If you add users via slapadd, it will not be able to intercept those operations. You need to use ldapadd/ldapmodify operations against a running slapd instance for memberof to take effect.
--Quanah
Hi Alexandre
1) From slapo-memberof: SLAPO-MEMBEROF(5) File Formats Manual SLAPO-MEMBEROF(5)
DESCRIPTION ...
Note that this overlay is deprecated and support will be dropped in future OpenLDAP re‐ leases. Installations should use the dynlist overlay instead. Using this overlay in a replicated environment is especially discouraged.
2) as far as I remember, memberof needs refint module too...
Not sure about refint, but ..
#### memberof dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: memberof olcModuleLoad: refint olcModuleLoad: back_monitor
dn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcMemberOf objectClass: olcOverlayConfig objectClass: top olcOverlay: memberof olcMemberOfDangling: ignore olcMemberOfRefInt: TRUE olcMemberOfGroupOC: groupOfNames olcMemberOfMemberAD: member olcMemberOfMemberOfAD: memberOf
dn: olcOverlay=refint,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcRefintConfig objectClass: top olcOverlay: refint olcRefintAttribute: memberof olcRefintAttribute: member olcRefintAttribute: manager olcRefintAttribute: owner
Hope it helps you.
Em qua., 7 de ago. de 2024 às 15:10, awoestmann@intevation.de escreveu:
Hi everyone,
i am trying to set up a OpenLDAP (2.6.7 in a Ubuntu noble container) with the memberOf Overlay activated. Adding the users and groups seems to work fine but i was not yet able to activate the overlay and query the memberships of a given user.
I am using the following ldif to load the overlay:
dn: cn=module,cn=config cn: module objectClass: olcModuleList olcModuleLoad: memberof olcModulePath: /usr/lib/ldap
dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcMemberOf objectClass: olcOverlayConfig objectClass: top olcOverlay: memberof olcMemberOfDangling: ignore olcMemberOfRefInt: TRUE olcMemberOfGroupOC: groupOfNames olcMemberOfMemberAD: member olcMemberOfMemberOfAD: memberOf
The config is added using "slapadd -n0 -l /path/to/ldif", after that i add the users using slapadd. To check if the overlay works i am trying to query the memberOf attribute using ldapvi: "ldapvi --discover "(uid=exampleUid)" memberOf"
Does anyone has a hint for me what i am doing wrong?
Best regards, Alexander
--On Wednesday, August 7, 2024 4:39 PM -0300 Paulo Ricardo Bruck paulobruck1@gmail.com wrote:
Note that this overlay is deprecated and support will be dropped in future OpenLDAP re‐ leases. Installations should use the dynlist overlay instead. Using this overlay in a replicated environment is especially discouraged.
As noted in the OpenLDAP 2.6.8 release documentation, slapo-memberof is no longer deprecated.
- as far as I remember, memberof needs refint module too...
Incorrect.
Regards, Quanah
On Wed, Aug 07, 2024 at 01:09:03PM -0700, Quanah Gibson-Mount wrote:
As noted in the OpenLDAP 2.6.8 release documentation, slapo-memberof is no longer deprecated.
With the caveat that if you're replicating, you need to enable memberof's addcheck (which in turn is incompatible with the refint option) and configure memberof on each replica, putting your configured memberof attribute into syncrepl's exattrs.
Regards,
openldap-technical@openldap.org
-
Alexander Wöstmann -
awoestmann@intevation.de
-
Ondřej Kuzník -
Paulo Ricardo Bruck -
Quanah Gibson-Mount