9

I have an OpenLDAP setup on Debian 7.1, (OpenLDAP 2.4.31), and I am trying to set up the memberof overlay. My configuration is just like I have read at lots of sites throughout the internet, however, it still does not work for me.

The issue is that the memberOf attributes of the entities are only updated when I create a group, but are not updated when I modify or delete a group. Actually this same issue was once asked before here: How do I configure Reverse Group Membership Maintenance on an openldap server? (memberOf), but even if it is checked as answered, I could not find any usable information in the answers. (Even the original poster couldn't do anything with the answers according to the comments...)

My configuration is like this: cn=config/cn=module{0}.ldif 

dn: cn=module{0}
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb
olcModuleLoad: {1}memberof
structuralObjectClass: olcModuleList

And for the module: cn=config/olcDatabase={1}hdb/olcOverlay={0}memberof.ldif

dn: olcOverlay={0}memberof
objectClass: olcMemberOf
objectClass: olcOverlayConfig
olcOverlay: {0}memberof
structuralObjectClass: olcMemberOf
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
olcMemberOfRefInt: TRUE

The group I add:

dn: cn=test,ou=services,dc=x,dc=y
cn: test
objectClass: groupOfNames
objectClass: top
description: test group
member: cn=Almafa Teszt,ou=users,dc=x,dc=y

The query I run:

$ ldapsearch -LLL -h localhost -x -D cn=admin,dc=x,dc=y -b u=users,dc=x,dc=y -W  '(memberOf=cn=test,ou=services,dc=x,dc=y)' memberOf

So the issue is not with how to query the attribute, but that after modifying or removing the group, the result of the search does not change...

Update: As for Brian's answer, I also set up refint overlay, with the following config:

$ ldapsearch -LLL -b cn=module{0},cn=config
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb
olcModuleLoad: {1}memberof.la
olcModuleLoad: {2}refint

$ ldapsearch -LLL -b olcOverlay={1}refint,olcDatabase={1}hdb,cn=config
dn: olcOverlay={1}refint,olcDatabase={1}hdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {1}refint
olcRefintAttribute: memberof member manager owner

But neither it fixed memberof overlay, nor it worked in itself. When I modified the name of a member of a group, the member attribute of the group was not updated. Could this two issues be related?

Community
  • 1
Peter B
  • 191
  • 1
  • 4
  • Have you figured out this problem? I'm getting the same. – Ethan Xu Jan 19 '18 at 08:53
  • @YangXu - no, I could not solve this issue at that time, and just took a different path, not involving memberOf plugin. Then, a few month ago I had to set up something similar on an other server, and there it worked for the first time. Now I compared the config of the new server with the config I put here, and the only difference I could spot is that on the new server the backend database is mdb, while in this old case it is hdb. Which one do you use? If hdb, could you try migrating to mdb? If that solves the issue, could you answer this question with that? Thanks! – Peter B Jan 28 '18 at 20:28

2 Answers2

0

It sounds like you may need to configure the refint overlay, which helps to maintain a directory's referential integrity in situations such as that which you described. There is a page at http://www.zarafa.com/wiki/index.php/OpenLDAP_referential_integrity which may be helpful towards setting up this overlay.

Brian Showalter
  • 1,029
  • 9
  • 13
  • Actually I already tried the refint overlay before, as at some places they were mentioned together. But it did not help. :( And actually, refint does not work either, as if I rename a user, the "member" attribute of the groupOfNames does not update. Maybe these two issues are related? – Peter B Sep 08 '13 at 09:09
  • Just to confirm, are you using the DN of a member entry to indicate that it's a member of your group? – Brian Showalter Sep 08 '13 at 13:12
  • Yes, like `member: cn=testuser,ou=users,dc=x,dc=y`. – Peter B Sep 08 '13 at 15:02
0

We had the same problem (same symptoms as you describe). It turned out we were missing olcRootDN in our dn: olcDatabase={1}hdb,cn=config So add (for example) olcRootDN: cn=admin,cn=config there.

Stevko
  • 21
  • 3