10

I have an OpenLDAP setup on Debian 7.1, (OpenLDAP 2.4.31), and I am trying to set up the memberof overlay. My configuration is just like I have read at lots of sites throughout the internet, however, it still does not work for me.

The issue is that the memberOf attributes of the entities are only updated when I create a group, but are not updated when I modify or delete a group. Actually this same issue was once asked before here: How do I configure Reverse Group Membership Maintenance on an openldap server? (memberOf), but even if it is checked as answered, I could not find any usable information in the answers. (Even the original poster couldn't do anything with the answers according to the comments...)

My configuration is like this: cn=config/cn=module{0}.ldif 

dn: cn=module{0} objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_hdb olcModuleLoad: {1}memberof structuralObjectClass: olcModuleList

And for the module: cn=config/olcDatabase={1}hdb/olcOverlay={0}memberof.ldif

dn: olcOverlay={0}memberof objectClass: olcMemberOf objectClass: olcOverlayConfig olcOverlay: {0}memberof structuralObjectClass: olcMemberOf olcMemberOfGroupOC: groupOfNames olcMemberOfMemberAD: member olcMemberOfMemberOfAD: memberOf olcMemberOfRefInt: TRUE

The group I add:

dn: cn=test,ou=services,dc=x,dc=y cn: test objectClass: groupOfNames objectClass: top description: test group member: cn=Almafa Teszt,ou=users,dc=x,dc=y

The query I run:

$ ldapsearch -LLL -h localhost -x -D cn=admin,dc=x,dc=y -b u=users,dc=x,dc=y -W '(memberOf=cn=test,ou=services,dc=x,dc=y)' memberOf

So the issue is not with how to query the attribute, but that after modifying or removing the group, the result of the search does not change...

Update: As for Brian's answer, I also set up refint overlay, with the following config:

$ ldapsearch -LLL -b cn=module{0},cn=config dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_hdb olcModuleLoad: {1}memberof.la olcModuleLoad: {2}refint $ ldapsearch -LLL -b olcOverlay={1}refint,olcDatabase={1}hdb,cn=config dn: olcOverlay={1}refint,olcDatabase={1}hdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcRefintConfig objectClass: top olcOverlay: {1}refint olcRefintAttribute: memberof member manager owner

But neither it fixed memberof overlay, nor it worked in itself. When I modified the name of a member of a group, the member attribute of the group was not updated. Could this two issues be related?

Improve this question
2
  • Have you figured out this problem? I'm getting the same. Commented Jan 19, 2018 at 8:53
  • @YangXu - no, I could not solve this issue at that time, and just took a different path, not involving memberOf plugin. Then, a few month ago I had to set up something similar on an other server, and there it worked for the first time. Now I compared the config of the new server with the config I put here, and the only difference I could spot is that on the new server the backend database is mdb, while in this old case it is hdb. Which one do you use? If hdb, could you try migrating to mdb? If that solves the issue, could you answer this question with that? Thanks! Commented Jan 28, 2018 at 20:28

2 Answers 2

Reset to default
0

It sounds like you may need to configure the refint overlay, which helps to maintain a directory's referential integrity in situations such as that which you described. There is a page at http://www.zarafa.com/wiki/index.php/OpenLDAP_referential_integrity which may be helpful towards setting up this overlay.

Improve this answer
3
  • Actually I already tried the refint overlay before, as at some places they were mentioned together. But it did not help. :( And actually, refint does not work either, as if I rename a user, the "member" attribute of the groupOfNames does not update. Maybe these two issues are related? Commented Sep 8, 2013 at 9:09
  • Just to confirm, are you using the DN of a member entry to indicate that it's a member of your group? Commented Sep 8, 2013 at 13:12
  • Yes, like member: cn=testuser,ou=users,dc=x,dc=y. Commented Sep 8, 2013 at 15:02
0

We had the same problem (same symptoms as you describe). It turned out we were missing olcRootDN in our dn: olcDatabase={1}hdb,cn=config So add (for example) olcRootDN: cn=admin,cn=config there.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.