memberof overlay

[Daniel Gomes <dgomes@ipfn.ist.utl.pt>]

Dear list members,

I have been trying to get the memberof overlay to work properly on
slapd 2.4.19 on an Ubuntu hardy (8.04.3).

After realizing (which took a while hehe) that installing OpenLDAP via  
apt-get wouldn't allow me to enable modules/overlays, I downloaded the
source and built it manually with:

   ./configure --enable-overlays --enable-accesslog --enable-auditlog
--enable-collect --enable-constraint --enable-dds --enable-deref
--enable-dyngroup --enable-dynlist --enable-memberof --enable-ppolicy
--enable-proxycache --enable-refint --enable-retcode --enable-rwm
--enable-seqmod --enable-syncprov --enable-translucent --enable-unique
--enable-valsort --enable-modules --with-tls

(I wanted to be on the safe side so I kinda enabled everything)

The server is now set up and running (with TLS and all, but I guess
that's not important here). To activate the wanted overlay, I have (on
my
slapd.conf):

modulepath      /usr/local/etc/openldap/overlays/
moduleload      memberof.la
overlay         memberof

(the path is correct and I have checked the logs to make sure he was
paying attention to those fields).

Anyway, I starting making some experiences, and at first it seemed to
be working fine. But some test cases later, the memberOf value started
being incorrect, when comparing to the member attribute of the
groups.

Here's how to reproduce my scenario (I just tried it again, with a new
database, base DN being dc=ipfn,dc=ist,dc=utl,dc=pt):

First, run init.ldif (attached), which creates the usual groups and
people OU's, creates 2 users followed by 2 group with one user per
group.

So far so good, if I make a ldapsearch based on ou=people (...) and
ask for the memberOf attribute, I get:

dn: ou=people,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt

dn: cn=Daniel Gomes,ou=people,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt
memberOf: cn=admin,ou=groups,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt

dn: cn=John Smith,ou=people,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt
memberOf: cn=users,ou=groups,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt

----------------------------------------

Next, I run modify.ldif (also attached) which changes the member  
attribute of the admin group from "cn=Daniel Gomes (...)" to "cn=John  
Smith (...)". We can then see that:

dn: ou=groups,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt
objectClass: organizationalUnit
ou: groups

dn: cn=admin,ou=groups,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt
objectClass: groupOfNames
cn: admin
description: For administrators
member: cn=John Smith,ou=people,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt

dn: cn=users,ou=groups,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt
objectClass: groupOfNames
cn: users
description: For users
member: cn=John Smith,ou=people,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt

----------------------------------------------

Meaning, the group was successfully modified, but the previous query  
returns the same value:

dn: ou=people,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt

dn: cn=Daniel Gomes,ou=people,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt
memberOf: cn=admin,ou=groups,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt

dn: cn=John Smith,ou=people,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt
memberOf: cn=users,ou=groups,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt

-----------------------------------------

This seems to happen only when deleting users from groups. I have  
tried with and without the refint overlay, if that matters for anything.

Anyway, I do not see anything I can be doing wrong, so it does seem to  
be a bug. If I could get some info on this, I would appreciate it!

Cheers,
-- 
Daniel Gomes (SysAdmin)
dgomes@ipfn.ist.utl.pt
Ext. 3487 - 218419487

Instituto de Plasmas e usão Nuclear
Instituto Superior Técnico - UTL        
Av. Rovisco Pais - 1049-001 Lisboa - Portugal

dn: dc=ipfn,dc=ist,dc=utl,dc=pt
objectClass: dcObject
objectClass: organizationalUnit
dc: ipfn
ou: IPFN

dn: ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt
objectClass: organizationalUnit
ou: portal

dn: ou=groups,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt
objectClass: organizationalUnit
ou: groups

dn: ou=people,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt
objectClass: organizationalUnit
ou: people

dn:cn=Daniel Gomes,ou=people,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt
objectclass: inetOrgPerson
cn: Daniel Gomes
sn: Gomes
uid: dgomes
userpassword: lala
mail: dgomes@ipfn.ist.utl.pt

dn:cn=John Smith,ou=people,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt
objectclass: inetOrgPerson
cn: John Smith
sn: Smith
uid: jsmith
userpassword: lala
mail: jsmith@ipfn.ist.utl.pt

dn: cn=admin,ou=groups,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt
objectclass: groupOfNames
cn: admin
description: For administrators
member: cn=admin,ou=people,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt
member: cn=Daniel Gomes,ou=people,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt

dn: cn=users,ou=groups,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt
objectclass: groupOfNames
cn: users
description: For users
member: cn=admin,ou=people,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt
member: cn=John Smith,ou=people,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt

#dn: cn=admin,ou=groups,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt
#changetype: modify
#replace: member
#member: cn=John Smith,ou=people,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt

#dn: cn=admin,ou=groups,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt
#changetype: modify
#delete: member
#member: cn=Daniel Gomes,ou=people,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt

dn: cn=admin,ou=groups,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt
changetype: modify
add: member
member: cn=John Smith,ou=people,ou=portal,dc=ipfn,dc=ist,dc=utl,dc=pt