7

This is a follow-up to this question: I added the memberof overlay to an existing OpenLDAP 2.4 server. Now I want to update the existing user objects.

For new group memberships, the memberOf attribute is updated correctly. But I have a bunch of existing groups which aren't updated automatically. I could remove all users from their groups and re-add them to make sure these entries are in sync. Since this is a Univention Corporate Server which does a lot of magic when you modify the LDAP, I don't want to risk breaking my directory.

Is there a way to trick the overlay to update these operational attributes?

Arvid Requate
  • 103
  • 2
mss
  • 435
  • 1
  • 6
  • 16
  • [UCS](https://www.univention.com/products/ucs/) provides [a script](https://github.com/univention/univention-corporate-server/blob/4.4-3/management/univention-ldap-overlay-memberof/univention-update-memberof) to do this, see explanation below. – Arvid Requate Jan 02 '20 at 11:06

3 Answers3

0

I think running slapindex will solve your problem. At least it sounds pretty much like what happens when you add a new index to your system.. You get funny results unless you run reindexing on old entries.

Please note that openldap server has to be stopped when you run this. And you should either run it as slapd user (like openldap) or run it as root and change permissions afterwords.

/etc/init.d/slapd stop
slapindex
chown openldap:openldap /var/lib/ldap/*
/etc/init.d/slapd start

or

/etc/init.d/slapd stop
su - openldap -c  slapindex
/etc/init.d/slapd start

please read slapindex man pages before running this. And this should be safe unless you have corrupted database. (just remember to check the file permissions before start)

Commands how you stop and start your serices will depend on the Os flavour your running.

Manwe
  • 528
  • 3
  • 13
  • Interesting. I'll have a try once I'm around that system and report back. – mss Apr 10 '12 at 13:50
  • `slapindex` won't add these missing attributes. The reason is simple: `slapindex` rebuilds the indexes of the underlying BerkeleyDB database to enable search requests to be handled, and what is needed here is actual data to be added in to the OpenLDAP database (the memberOf attributes and their values). – Jonathan Clarke Sep 18 '12 at 16:41
  • True, but adding an index to a field that already has data will some times give funny results to all but new entries on searches. Reason being that the index has to manually created/recreated for existing data, but for new data the indexing works automatically. – Manwe Sep 29 '12 at 20:15
0

The only time when the memberOf overlay will be activated is if you modify a member in a group. So, the only way to "trick" it into updating the memberOf attributes would indeed be to remove all users from their groups and re-add them, as you suggested.

An alternative would be to use an external tool to synchronize groups and their members's entries.

You could write your own script for this - something along the lines of "for each group, read the members, for each member, run a LDAP "modify" operation to "add" a value to the memberOf attribute of that member's entry.

Or, probably more reliable, you could use a tool like LSC (LDAP Synchronization Connector) which has pretty much everything already done: you just need to configure the mapping you want. The trick with LSC is to use the same LDAP server as both source and destination, and running through all users to make sure that the memberOf attribute contains the list of groups that results from searching all groups for member=. The LSC website has a tutorial to do this, sort of, but it's a bit outdated.

Jonathan Clarke
  • 1,657
  • 2
  • 11
  • 25
  • Thanks for the pointer to LSC, I hadn't heard of that. What I did in the end was to use the official [script](https://forge.univention.org/svn/dev/branches/ucs-3.0/ucs/management/univention-ldap-overlay-memberof/univention-update-memberof) shipped by Univention which follows the delete-and-readd approach. Originally I was afraid of doing this on my own since UCS has a bunch of hooks which get executed whenever the LDAP is changed. – mss Sep 19 '12 at 19:36
0

For Univention Corporate Server see https://help.univention.com/t/memberof-attribute-group-memberships-of-user-and-computer-objects/6439 , it has a tool do do this. For all others: The tool uses a simple trick to trigger OpenLDAP to update the memberOf attributes: It simply searches for (uniqueMember=*) and replaces the value by the same value. This is basically a nop, but OpenLDAP handles it just like any other real change.

Arvid Requate
  • 103
  • 2