I've been working with current CVS OpenLDAP and the memberof plugin, for Samba4 integration. Following your suggestion, I'm trying to load multiple memberof instances, but the syntax doesn't seem to work for me. Attached is how I'm currently configuring the overlay. It causes this when loading: overlay_config(): overlay "memberof" already in list overlay_config(): overlay "memberof" already in list ... It also only appears to work for the first entry (happily that is member/memberof, and this seems to have worked). Is the syntax I'm using correct, or does the module need to be reworked for this operation? Finally, I'm wondering if the error returns can be adjusted: When I add invalid member to a group, OpenLDAP returns LDAP_CONSTRAINT_VIOLATION <adding non-existing object as group member>, but AD returns error 32, LDAP_NO_SUCH_OBJECT for this situation. Would it be reasonable to change this, or could it be made configurable. Having the LDAP server give me the error the client expects would avoid the need for a translation layer. (it might be nobody ever looks at this, but I don't like to make that assumption). Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com
loglevel 0
include /home/data/samba/samba4/svn/source/st/dc/private/ldap/backend-schema.schema
pidfile /home/data/samba/samba4/svn/source/st/dc/private/ldap/slapd.pid
argsfile /home/data/samba/samba4/svn/source/st/dc/private/ldap/slapd.args
sasl-realm samba.example.com
access to * by * write
allow update_anon
authz-regexp
uid=([^,]*),cn=samba.example.com,cn=digest-md5,cn=auth
ldap:///DC=samba,DC=example,DC=com??sub?(samAccountName=\$1)
authz-regexp
uid=([^,]*),cn=([^,]*),cn=digest-md5,cn=auth
ldap:///DC=samba,DC=example,DC=com??sub?(samAccountName=\$1)
include /home/data/samba/samba4/svn/source/st/dc/private/ldap/modules.conf
defaultsearchbase DC=samba,DC=example,DC=com
backend hdb
database hdb
suffix CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com
directory /home/data/samba/samba4/svn/source/st/dc/private/ldap/db/schema
index objectClass eq
index samAccountName eq
index name eq
index objectCategory eq
index lDAPDisplayName eq
index subClassOf eq
index cn eq
database hdb
suffix CN=Configuration,DC=samba,DC=example,DC=com
directory /home/data/samba/samba4/svn/source/st/dc/private/ldap/db/config
index objectClass eq
index samAccountName eq
index name eq
index objectSid eq
index objectCategory eq
index nCName eq
index subClassOf eq
index dnsRoot eq
index nETBIOSName eq
index cn eq
database hdb
suffix DC=samba,DC=example,DC=com
rootdn cn=Manager,DC=samba,DC=example,DC=com
rootpw localdcpass
directory /home/data/samba/samba4/svn/source/st/dc/private/ldap/db/user
index objectClass eq
index samAccountName eq
index name eq
index objectSid eq
index objectCategory eq
index member eq
index uidNumber eq
index gidNumber eq
index unixName eq
index privilege eq
index nCName eq
index lDAPDisplayName eq
index subClassOf eq
index dnsRoot eq
index nETBIOSName eq
index cn eq
#syncprov is stable in OpenLDAP 2.3, and available in 2.2.
#We only need this for the contextCSN attribute anyway....
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
include /home/data/samba/samba4/svn/source/st/dc/private/ldap/memberof.conf
overlay memberof memberof-dangling error memberof-refint TRUE memberof-group-oc top memberof-member-ad member memberof-memberof-ad memberOf overlay memberof memberof-dangling error memberof-refint TRUE memberof-group-oc top memberof-member-ad msDS-ObjectReference memberof-memberof-ad msDS-ObjectReferenceBL overlay memberof memberof-dangling error memberof-refint TRUE memberof-group-oc top memberof-member-ad serverReference memberof-memberof-ad serverReferenceBL overlay memberof memberof-dangling error memberof-refint TRUE memberof-group-oc top memberof-member-ad hasMasterNCs memberof-memberof-ad masteredBy overlay memberof memberof-dangling error memberof-refint TRUE memberof-group-oc top memberof-member-ad siteObject memberof-memberof-ad siteObjectBL overlay memberof memberof-dangling error memberof-refint TRUE memberof-group-oc top memberof-member-ad msCOM-UserPartitionSetLink memberof-memberof-ad msCOM-UserLink overlay memberof memberof-dangling error memberof-refint TRUE memberof-group-oc top memberof-member-ad bridgeheadTransportList memberof-memberof-ad bridgeheadServerListBL overlay memberof memberof-dangling error memberof-refint TRUE memberof-group-oc top memberof-member-ad manager memberof-memberof-ad directReports overlay memberof memberof-dangling error memberof-refint TRUE memberof-group-oc top memberof-member-ad msDS-hasMasterNCs memberof-memberof-ad msDs-masteredBy overlay memberof memberof-dangling error memberof-refint TRUE memberof-group-oc top memberof-member-ad msDS-NonMembers memberof-memberof-ad msDS-NonMembersBL overlay memberof memberof-dangling error memberof-refint TRUE memberof-group-oc top memberof-member-ad managedBy memberof-memberof-ad managedObjects overlay memberof memberof-dangling error memberof-refint TRUE memberof-group-oc top memberof-member-ad queryPolicyObject memberof-memberof-ad queryPolicyBL overlay memberof memberof-dangling error memberof-refint TRUE memberof-group-oc top memberof-member-ad nonSecurityMember memberof-memberof-ad nonSecurityMemberBL
modulepath /data/openldap/prefix/libexec/openldap moduleload syncprov moduleload memberof
Attachment:
signature.asc
Description: This is a digitally signed message part