Hello again,
Having successfully upgraded my LDAP install to 2.4.22 on Redhat 5.3 I've been looking at use of the 'slapo-memberof' schema as provided by openldap2.4-server package.
The man page for slapo-memberof2.4 indicates I can use the 'memberof-dn' directive.
So, I've updated my slapd.conf file to allow the 'moduleload memberof.la' to be used and restarted ldap2.4 services. On the client I have configured my ldap.conf without the memberof directive and it works fine, but when I use memberof I can no longer login.
nss_base_passwd ou=people,dc=ldn,dc=sw,dc=com Works fine
nss_base_passwd ou=people,dc=ldn,dc=sw,dc=com?sub?memberof-dn=cn=access,ou=auth,dc=ldn,dc=sw,dc=com Fails to log me in.
I can see the people and auth OU's from the client using ldapsearch.
Questions: What is the correct syntax for using the memberof-dn directive? If the client does NOT have the openldap2.4-server package installed, does it pass the 'memberof-dn' directive to my LDAP server to be parsed?
TIA,
Stuart.
_________________________________________________________________ http://clk.atdmt.com/UKM/go/195013117/direct/01/ We want to hear all your funny, exciting and crazy Hotmail stories. Tell us now
On Wednesday, 5 May 2010 14:31:01 Stuart Cherrington wrote:
Hello again,
Having successfully upgraded my LDAP install to 2.4.22 on Redhat 5.3 I've been looking at use of the 'slapo-memberof' schema as provided by openldap2.4-server package.
The man page for slapo-memberof2.4 indicates I can use the 'memberof-dn' directive.
This relates to it being used in your slapd configuration. However, the man page is quite clear in that this directive isn't *that* useful (only affects operational attributes).
So, I've updated my slapd.conf file to allow the 'moduleload memberof.la' to be used and restarted ldap2.4 services.
That is not sufficient, you would at least need: overlay memberof
in the affected database. Additionally, note that the overlay only maintains the memberof attribute for *changes* to the member (or attribute specified by memberof-member-ad) attribute, the initial population is up to you (or, you could probably send trivial modifications to all your groupOfNames entries to force the overlay to update the attributes.
On the client I have configured my ldap.conf without the memberof directive and it works fine, but when I use memberof I can no longer login.
nss_base_passwd ou=people,dc=ldn,dc=sw,dc=com Works fine
nss_base_passwd ou=people,dc=ldn,dc=sw,dc=com?sub?memberof-dn=cn=access,ou=auth,dc=ldn,dc= sw,dc=com Fails to log me in.
Firstly, you should be using memberof=DN, not memberof-dn=DN, secondly, does your user have a matching attribute?
I can see the people and auth OU's from the client using ldapsearch.
But, do these people have correct memberof attributes?
Questions: What is the correct syntax for using the memberof-dn directive?
This is probably irrelevant.
If the client does NOT have the openldap2.4-server package installed, does it pass the 'memberof-dn' directive to my LDAP server to be parsed?
Please consult the nss_ldap documentation for nss_base_passwd, but, typically, it should use the value you have supplied as a filter to a search operation. Have you manually verified that the accounts you expect to be matched by your filter do, in fact, match the filter? For example, by using:
$ ldapsearch -x -b ou=people,dc=ldn,dc=sw,dc=com "(memberof- dn=cn=access,ou=auth,dc=ldn,dc=sw,dc=com)"
Note: I copied from your configuration, if your configuration is wrong, fix it, and re-paste the filter, to make sure you are testing what you have configured ....
Regards, Buchan
openldap-technical@openldap.org
-
Buchan Milne -
Stuart Cherrington