[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapo-memberof Usage

On Wednesday, 5 May 2010 14:31:01 Stuart Cherrington wrote:
> Hello again,
> Having successfully upgraded my LDAP install to 2.4.22 on Redhat 5.3 I've
>  been looking at use of the 'slapo-memberof' schema as provided by
>  openldap2.4-server package.
> The man page for slapo-memberof2.4 indicates I can use the 'memberof-dn'
>  directive.

This relates to it being used in your slapd configuration. However, the man 
page is quite clear in that this directive isn't *that* useful (only affects 
operational attributes).

> So, I've updated my slapd.conf file to allow the 'moduleload     
>  memberof.la' to be used and restarted ldap2.4 services.

That is not sufficient, you would at least need:
overlay memberof

in the affected database. Additionally, note that the overlay only maintains 
the memberof attribute for *changes* to the member (or attribute specified by 
memberof-member-ad) attribute, the initial population is up to you (or, you 
could probably send trivial modifications to all your groupOfNames entries to 
force the overlay to update the attributes.

>  On the client I
>  have configured my ldap.conf without the memberof directive and it works
>  fine, but when I use memberof I can no longer login.
> nss_base_passwd                ou=people,dc=ldn,dc=sw,dc=com
> Works fine
> nss_base_passwd        
>  ou=people,dc=ldn,dc=sw,dc=com?sub?memberof-dn=cn=access,ou=auth,dc=ldn,dc=
> sw,dc=com Fails to log me in.

Firstly, you should be using memberof=DN, not memberof-dn=DN, secondly, does 
your user have a matching attribute?

> I can see the people and auth OU's from the client using ldapsearch.

But,  do these people have correct memberof attributes?

> Questions:
> What is the correct syntax for using the memberof-dn directive?

This is probably irrelevant.

> If the client does NOT have the openldap2.4-server package installed, does
>  it pass the 'memberof-dn' directive to my LDAP server to be parsed?

Please consult the nss_ldap documentation for nss_base_passwd, but, typically, 
it should use the value you have supplied as a filter to a search operation. 
Have you manually verified that the accounts you expect to be matched by your 
filter do, in fact, match the filter? For example, by using:

$ ldapsearch -x -b ou=people,dc=ldn,dc=sw,dc=com "(memberof-

Note: I copied from your configuration, if your configuration is wrong, fix it, 
and re-paste the filter, to make sure you are testing what you have configured