On Wed, 2007-11-28 at 09:13 +1100, Andrew Bartlett wrote: > On Tue, 2007-11-27 at 07:23 -0800, Howard Chu wrote: > > Christian Marg wrote: > > > Hello, > > > > > > Andrew Bartlett wrote: > > > [...] > > >> Linked attributes include member/memberOf, master/masteredBy and many > > >> others. They are defined in the AD schema, and as far as I know, are > > >> strictly updated as a pair (they are not flattened memberOf listings, > > >> for example). > > > [...] > > > > > > Isn't that what slapo-refint(5) does? Maybe it needs some fine > > > adjustment, but from the manpage it sounds promising... > > > > The slapo-memberOf overlay is probably more useful here, as Ando already > > pointed out. But yes, we can take care of linked attributes, no problem. > > Looking at the configuration, it seems this can only currently be > configured once - ie, for memberOf. Am I missing how to configure it to > also handle an arbitrary number of other attributes? Ideally I would > process the AD schema into a configuration file with these details. To start with this module I've decided to just deal with memberOf. However, I can't get the module to start, because while it allows configuration of different schema in theory, it relies on the default schema to exist in practice: [abartlet@naomi source]$ /usr/local/sbin/slaptest -f /home/data/samba/samba4/clean/source/st/dc/private/ldap/slapd.conf back-bdb/back-hdb monitor: "olmBDBAttributes" previously defined "1.3.6.1.4.1.4203.666.1.55.0.1.1" back-bdb/back-hdb monitor: "olmBDBObjectClasses" previously defined "1.3.6.1.4.1.4203.666.3.16.0.1.1" memberof_db_init: unable to find objectClass="groupOfNames" slaptest: bad configuration file! The problem is that groupOfNames doesn't exist in the AD-like schema I'm loading. This is with current CVS OpenLDAP. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc.
loglevel 0
include /home/data/samba/samba4/clean/source/st/dc/private/ldap/backend-schema.schema
pidfile /home/data/samba/samba4/clean/source/st/dc/private/ldap/slapd.pid
argsfile /home/data/samba/samba4/clean/source/st/dc/private/ldap/slapd.args
sasl-realm samba.example.com
access to * by * write
allow update_anon
authz-regexp
uid=([^,]*),cn=samba.example.com,cn=digest-md5,cn=auth
ldap:///DC=samba,DC=example,DC=com??sub?(samAccountName=\$1)
authz-regexp
uid=([^,]*),cn=([^,]*),cn=digest-md5,cn=auth
ldap:///DC=samba,DC=example,DC=com??sub?(samAccountName=\$1)
include /home/data/samba/samba4/clean/source/st/dc/private/ldap/modules.conf
defaultsearchbase DC=samba,DC=example,DC=com
backend hdb
database bdb
suffix CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com
directory /home/data/samba/samba4/clean/source/st/dc/private/ldap/db/schema
index objectClass eq
index samAccountName eq
index name eq
index objectCategory eq
index lDAPDisplayName eq
index subClassOf eq
database hdb
suffix CN=Configuration,DC=samba,DC=example,DC=com
directory /home/data/samba/samba4/clean/source/st/dc/private/ldap/db/config
index objectClass eq
index samAccountName eq
index name eq
index objectSid eq
index objectCategory eq
index nCName eq
index subClassOf eq
index dnsRoot eq
index nETBIOSName eq
database hdb
suffix DC=samba,DC=example,DC=com
rootdn cn=Manager,DC=samba,DC=example,DC=com
rootpw localdcpass
directory /home/data/samba/samba4/clean/source/st/dc/private/ldap/db/user
index objectClass eq
index samAccountName eq
index name eq
index objectSid eq
index objectCategory eq
index member eq
index uidNumber eq
index gidNumber eq
index unixName eq
index privilege eq
index nCName eq
index lDAPDisplayName eq
index subClassOf eq
index dnsRoot eq
index nETBIOSName eq
#syncprov is stable in OpenLDAP 2.3, and available in 2.2.
#We only need this for the contextCSN attribute anyway....
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
overlay memberof
memberof-group-oc group
Attachment:
signature.asc
Description: This is a digitally signed message part