Hello guys,
In our infra we using openldap in old style slapd.conf config to centralize users, groups, etc.
I like to know how I enable memberOf in openlap old style config?
Am Fri, 16 Sep 2016 13:28:41 -0300 schrieb Elias Pereira empbilly@gmail.com:
Hello guys,
In our infra we using openldap in old style slapd.conf config to centralize users, groups, etc.
I like to know how I enable memberOf in openlap old style config?
First check whether slapo-memberof is a built-in module: slapd -VVV Included static overlays: [...) memberof
If so, you may follow man slapo-memberof(5) Otherwise you have to check whether memberof.la is in the module path and include memberof.la in the global part of slapd.conf and configure according to the manual page.
-Dieter
Elias Pereira wrote:
In our infra we using openldap in old style slapd.conf config to centralize users, groups, etc.
I like to know how I enable memberOf in openlap old style config?
It's not that hard to find the docs:
http://www.openldap.org/doc/admin24/overlays.html#Reverse%20Group%20Membersh...
http://www.openldap.org/software/man.cgi?query=slapo-memberof
Ciao, Michael.
Thanks for the answers guys!!
For a new group that I create, memberof is set automatically, ok?
But the groups that I already have on my base. How would I do to "enable" the memberof option? Ldap accou manager maybe do that?
On Fri, Sep 16, 2016 at 5:39 PM, Michael Ströder michael@stroeder.com wrote:
Elias Pereira wrote:
In our infra we using openldap in old style slapd.conf config to
centralize
users, groups, etc.
I like to know how I enable memberOf in openlap old style config?
It's not that hard to find the docs:
http://www.openldap.org/doc/admin24/overlays.html#Reverse% 20Group%20Membership%20Maintenance
http://www.openldap.org/software/man.cgi?query=slapo-memberof
Ciao, Michael.
Elias Pereira wrote:
For a new group that I create, memberof is set automatically, ok?
slapo-memberof intercepts write operations to group entries and updates member entries at that time.
Note that the member entry must exist of course for this to succeed.
Also note that you have to run slapo-memberof on all replicas because attribute 'memberOf' is *not* replicated.
But the groups that I already have on my base. How would I do to "enable" the memberof option?
Modify the group entry.
Ldap accou manager maybe do that?
Client tools should not muck with attribute 'memberOf' (unless your 200% sure what you're doing).
Ciao, Michael.
Thanks for the answer Michael!!!
My slapd.conf in attach.
I followed precisely the tip that you gave me at the link below: http://www.openldap.org/doc/admin24/overlays.html#Reverse%20Group%20Membersh...
When I run: *ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=test1)" -b dc=my,dc=company,dc=br memberOf*
only shows me: *dn: uid=test1,ou=People,dc=my,dc=company,dc=br*
Not show the *memberOf: cn=testgroup,ou=Group,dc=my,dc=company,dc=br*
I may have forgotten something?
On Sun, Sep 18, 2016 at 7:26 AM, Michael Ströder michael@stroeder.com wrote:
Elias Pereira wrote:
For a new group that I create, memberof is set automatically, ok?
slapo-memberof intercepts write operations to group entries and updates member entries at that time.
Note that the member entry must exist of course for this to succeed.
Also note that you have to run slapo-memberof on all replicas because attribute 'memberOf' is *not* replicated.
But the groups that I already have on my base. How would I do to "enable" the memberof option?
Modify the group entry.
Ldap accou manager maybe do that?
Client tools should not muck with attribute 'memberOf' (unless your 200% sure what you're doing).
Ciao, Michael.
Elias Pereira wrote:
When I run: *ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=test1)" -b dc=my,dc=company,dc=br memberOf*
^^^^^^^^^ Either this is supposed to be the search filter or the attribute list. In both cases it's wrong (see ldapsearch(1)).
only shows me: *dn: uid=test1,ou=People,dc=my,dc=company,dc=br*
Not show the *memberOf: cn=testgroup,ou=Group,dc=my,dc=company,dc=br*
Attribute 'memberOf' has to be explicitly requested or can be requested along with all other operational attributes with "+" in the attribute list.
Example:
ldapsearch [..] -b "dc=example,dc=org" "(memberOf=*)" memberOf
Ciao, Michael.
openldap-technical@openldap.org
-
Dieter Klünter -
Elias Pereira -
Michael Ströder