Re: Enable memberOf

To: Michael Ströder <michael@stroeder.com>

Subject: Re: Enable memberOf

From: Elias Pereira <empbilly@gmail.com>

Date: Sun, 18 Sep 2016 16:12:01 -0300

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=/yq01z2VXljrsBFA9Sf/q5lWjkmdx9rxreqDFKG3BC0=; b=W5w6rpKZS4hV4QwRfevkPzO1esuzk90MSaIIMxatDdWeSIGLd0C6fhMKZzQR43qwel qGO5ZlIVbPET9ceEp6npBWjT5FobaclmQtEDHP0/zx1T/4JtDAllyc0pGfFFbr4XRO4f dBsS24ug+mqTAgytoQ2EizkHPYIw2369OeCqARewabTgnJ77dKIUWyEIhfywF149obUv L7tZDYqEMJAg7GNgkoHaWmqgb92Mchp2i7VgzhFWEJqFZgLU9fuYx7jbFcdIQE2hN/6G C8dTcz1gyh5cs+6hn7wB5pPg9nORq+SPWbGRuS+R+0HfeOtbFLuQ/oLd6ST4lSNHyH4Z NM+Q==

In-reply-to: <57DE6BC7.5070409@stroeder.com>

References: <CAHdxDAF7XbPXo4nwMzrWiXi1uNQ_qpUaUSYx3_1iJhSKFnTpnw@mail.gmail.com> <57DC589B.8070506@stroeder.com> <CAHdxDAG=j6rCboH=7NkJepZSb3CQmbLjweDqqpM-TDk3Zhi2QQ@mail.gmail.com> <57DE6BC7.5070409@stroeder.com>

Thanks for the answer Michael!!!

My slapd.conf in attach.

I followed precisely the tip that you gave me at the link below:

http://www.openldap.org/doc/admin24/overlays.html#Reverse%20Group%20Membership%20Maintenance

When I run: ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=test1)" -b dc=my,dc=company,dc=br memberOf

only shows me: dn: uid=test1,ou=People,dc=my,dc=company,dc=br

Not show the memberOf: cn=testgroup,ou=Group,dc=my,dc=company,dc=br

I may have forgotten something?

On Sun, Sep 18, 2016 at 7:26 AM, Michael Ströder <michael@stroeder.com> wrote:

Elias Pereira wrote:
> For a new group that I create, memberof is set automatically, ok?

slapo-memberof intercepts write operations to group entries and updates member
entries at that time.

Note that the member entry must exist of course for this to succeed.

Also note that you have to run slapo-memberof on all replicas because attribute
'memberOf' is *not* replicated.

> But the groups that I already have on my base. How would I do to "enable"
> the memberof option?

Modify the group entry.

> Ldap accou manager maybe do that?

Client tools should not muck with attribute 'memberOf' (unless your 200% sure
what you're doing).

Ciao, Michael.

Elias Pereira

# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/openldap.schema include /etc/ldap/schema/samba.schema include /etc/ldap/schema/eduperson.schema include /etc/ldap/schema/breduperson.0.0.6.schema include /etc/ldap/schema/schac-20061212-1.3.0 loglevel -1 pidfile /var/run/sldapd/slapd.pid argsfile /var/run/sldapd/slapd.args sizelimit -1 # Load dynamic backend modules: modulepath /usr/lib/ldap moduleload back_bdb.la moduleload memberof.la ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "dc=poa,dc=ifrs,dc=edu,dc=br" rootdn "cn=Manager,dc=poa,dc=ifrs,dc=edu,dc=br" rootpw {SSHA}rAQpM6QYNGr0R/5X4qg4GgPaJvIFs/H0 directory /var/lib/ldap ####################################################################### # SSL: #Certficados de seguranca #TLSCACertificateFile /etc/ldap/certs/poa.cert #TLSCertificateFile /etc/ldap/certs/poa.crt #TLSCertificateKeyFile /etc/ldap/certs/poa.key ########## Permissoes de Usuarios ##################################### #access to * # by dn.base="cn=replicador,dc=poa,dc=ifrs,dc=edu,dc=br" read # by * break access to attrs=userPassword,sambaLMPassword,sambaNTPassword by dn="cn=Manager,dc=poa,dc=ifrs,dc=edu,dc=br" write by self write by * auth access to dn.children="ou=People,dc=poa,dc=ifrs,dc=edu,dc=br" attrs=objectClass,sambaSamAccount by dn="cn=Manager,dc=poa,dc=ifrs,dc=edu,dc=br" write by * read access to dn.children="ou=Groups,dc=poa,dc=ifrs,dc=edu,dc=br" attrs=description,sambaSID,sambaGroupType,displayName,objectClass,cn by dn="cn=Manager,dc=poa,dc=ifrs,dc=edu,dc=br" write by * read access to dn.children="ou=Computers,dc=poa,dc=ifrs,dc=edu,dc=br" attrs=objectClass,sambaSamAccount by dn="cn=Manager,dc=poa,dc=ifrs,dc=edu,dc=br" write by * read access to dn.children="ou=Idmap,dc=poa,dc=ifrs,dc=edu,dc=br" by dn="cn=Manager,dc=poa,dc=ifrs,dc=edu,dc=br" write by * read access to dn.subtree="dc=poa,dc=ifrs,dc=edu,dc=br" by dn="cn=Manager,dc=poa,dc=ifrs,dc=edu,dc=br" write by * read ###################################################################### # Configuracao Replicacao Reitoria ###################################################################### # uniquely identifies this server para PoA: #ServerID 051 # carregar o modulo #moduleload syncprov # syncprov specific indexing (add others as required) #index entryCSN eq #index entryUUID eq # Tipo de sincronizacao #overlay syncprov # Forcar sincronizacao a cada 100 gravacoes, ou a cada 10 minutos #syncprov-checkpoint 100 10 # Mantem um registro das ultimas 100 entradas sincronizadas #syncprov-sessionlog 100 ################ FIM REPLICACAO ##################################### # Indices to maintain index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub overlay memberof

Follow-Ups:

Re: Enable memberOf
- From: Michael Ströder <michael@stroeder.com>

References:

Enable memberOf
- From: Elias Pereira <empbilly@gmail.com>
Re: Enable memberOf
- From: Michael Ströder <michael@stroeder.com>
Re: Enable memberOf
- From: Elias Pereira <empbilly@gmail.com>
Re: Enable memberOf
- From: Michael Ströder <michael@stroeder.com>