On Wednesday, 5 May 2010 14:31:01 Stuart Cherrington wrote:
Having successfully upgraded my LDAP install to 2.4.22 on Redhat 5.3 I've
been looking at use of the 'slapo-memberof' schema as provided by
The man page for slapo-memberof2.4 indicates I can use the 'memberof-dn'
This relates to it being used in your slapd configuration. However, the man
page is quite clear in that this directive isn't *that* useful (only affects
So, I've updated my slapd.conf file to allow the 'moduleload
memberof.la' to be used and restarted ldap2.4 services.
That is not sufficient, you would at least need:
in the affected database. Additionally, note that the overlay only maintains
the memberof attribute for *changes* to the member (or attribute specified by
memberof-member-ad) attribute, the initial population is up to you (or, you
could probably send trivial modifications to all your groupOfNames entries to
force the overlay to update the attributes.
On the client I
have configured my ldap.conf without the memberof directive and it works
fine, but when I use memberof I can no longer login.
sw,dc=com Fails to log me in.
Firstly, you should be using memberof=DN, not memberof-dn=DN, secondly, does
your user have a matching attribute?
I can see the people and auth OU's from the client using
But, do these people have correct memberof attributes?
What is the correct syntax for using the memberof-dn directive?
This is probably irrelevant.
If the client does NOT have the openldap2.4-server package installed,
it pass the 'memberof-dn' directive to my LDAP server to be parsed?
Please consult the nss_ldap documentation for nss_base_passwd, but, typically,
it should use the value you have supplied as a filter to a search operation.
Have you manually verified that the accounts you expect to be matched by your
filter do, in fact, match the filter? For example, by using:
$ ldapsearch -x -b ou=people,dc=ldn,dc=sw,dc=com "(memberof-
Note: I copied from your configuration, if your configuration is wrong, fix it,
and re-paste the filter, to make sure you are testing what you have configured