openldap memberof attribute - openldap-technical

26 Jan 2011

Hi,
I am doing remote authentication using OpenLDAP to login BIGIP, BIGIP
has a feature called remoterole to search attribute 'memberof' from
LDAP server and once found the attribute, assign the remote user a
role defined in various groups like admin, operator... the feature
works for Active Directory, but I am unable to make it work for
OpenLDAP, I couldn't find 'memberof' attribute in OpenLDAP schema, so
I created the 'memberof' attribute in core.schema as below:
[root@centos-vli schema]# diff -u core.schema core.schema.orig

--- core.schema 2011-01-24 23:54:42.000000000 -0800
+++ core.schema.orig    2011-01-24 23:46:11.000000000 -0800
@@ -345,10 +345,6 @@
        DESC 'X.520(4th): pseudonym for the object'
        SUP name )
-attributetype ( 2.5.4.66 NAME 'memberof'
-        DESC 'RFC2256: member of a group'
-        SUP distinguishedName )
-
 # Standard object classes from RFC2256
# system schema
@@ -425,7 +421,7 @@
 objectclass ( 2.5.6.9 NAME 'groupOfNames'
        DESC 'RFC2256: a group of names (DNs)'
        SUP top STRUCTURAL
-       MUST ( member $ memberof $ cn )
+       MUST ( member $ cn )
        MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
objectclass ( 2.5.6.10 NAME 'residentialPerson'
and here is my sample ldif file:
dn: ou=groups,dc=example,dc=com
objectclass:organizationalunit
ou: groups
description: generic groups branch
# create the itpeople entry under groups
dn: cn=administrator,ou=groups,dc=example,dc=com
objectclass: groupofnames
cn: administrator
description: bigip admin group
member: uid=user5,ou=people,dc=example,dc=com
dn: uid=user5,ou=People,dc=example,dc=com
uid: user5
cn: user5
objectClass: top
objectClass: posixaccount
objectClass: shadowaccount
objectClass: groupOfNames
userPassword: secret
shadowLastChange: 14997
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 505
gidNumber: 505
homeDirectory: /home/user5
member: cn=administrator,ou=groups,dc=example,dc=com
memberof: cn=administrator,ou=groups,dc=example,dc=com
I can login BIGIP fine with user5, but I can't get the administrator
role defined in BIGIP,  is it something I configured wrong in OpenLDAP
or the problem is on BIGIP
Thanks
Vincent

    