[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: slapo-memberof Usage
On Wednesday, 5 May 2010 14:31:01 Stuart Cherrington wrote:
> Hello again,
>
> Having successfully upgraded my LDAP install to 2.4.22 on Redhat 5.3 I've
> been looking at use of the 'slapo-memberof' schema as provided by
> openldap2.4-server package.
>
> The man page for slapo-memberof2.4 indicates I can use the 'memberof-dn'
> directive.
This relates to it being used in your slapd configuration. However, the man
page is quite clear in that this directive isn't *that* useful (only affects
operational attributes).
> So, I've updated my slapd.conf file to allow the 'moduleload
> memberof.la' to be used and restarted ldap2.4 services.
That is not sufficient, you would at least need:
overlay memberof
in the affected database. Additionally, note that the overlay only maintains
the memberof attribute for *changes* to the member (or attribute specified by
memberof-member-ad) attribute, the initial population is up to you (or, you
could probably send trivial modifications to all your groupOfNames entries to
force the overlay to update the attributes.
> On the client I
> have configured my ldap.conf without the memberof directive and it works
> fine, but when I use memberof I can no longer login.
>
> nss_base_passwd ou=people,dc=ldn,dc=sw,dc=com
> Works fine
>
> nss_base_passwd
> ou=people,dc=ldn,dc=sw,dc=com?sub?memberof-dn=cn=access,ou=auth,dc=ldn,dc=
> sw,dc=com Fails to log me in.
Firstly, you should be using memberof=DN, not memberof-dn=DN, secondly, does
your user have a matching attribute?
> I can see the people and auth OU's from the client using ldapsearch.
But, do these people have correct memberof attributes?
>
> Questions:
> What is the correct syntax for using the memberof-dn directive?
This is probably irrelevant.
> If the client does NOT have the openldap2.4-server package installed, does
> it pass the 'memberof-dn' directive to my LDAP server to be parsed?
Please consult the nss_ldap documentation for nss_base_passwd, but, typically,
it should use the value you have supplied as a filter to a search operation.
Have you manually verified that the accounts you expect to be matched by your
filter do, in fact, match the filter? For example, by using:
$ ldapsearch -x -b ou=people,dc=ldn,dc=sw,dc=com "(memberof-
dn=cn=access,ou=auth,dc=ldn,dc=sw,dc=com)"
Note: I copied from your configuration, if your configuration is wrong, fix it,
and re-paste the filter, to make sure you are testing what you have configured
....
Regards,
Buchan