[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
memberOF overlay - memberof-memberof-ad
Hi,
I installed a openldap latest 2.4.23 with a basic database setup:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/rfc2307bis.schema
include /etc/openldap/schema/yast.schema
include /etc/openldap/schema/personaddon.schema
loglevel config stats stats2
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
modulepath /usr/lib/openldap/modules
moduleload memberof.la
moduleload refint.la
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to attrs=userPassword,userPKCS12
by self write
by * auth
access to attrs=shadowLastChange
by self write
by * read
access to *
by * read
database bdb
suffix "dc=my-domain,dc=com"
checkpoint 1024 5
cachesize 10000
rootdn "cn=Manager,dc=my-domain,dc=com"
rootpw secret
directory /var/lib/ldap
index objectClass eq
index uid,cn,mail,member,sn,manager eq
Then I included a standard memberof overlay config:
overlay memberof
memberof-group-oc groupOfNames
memberof-member-ad member
memberof-memberof-ad memberOf
memberof-refint true
This works fine (database population below).
After that I configured a second memberof overlay like this:
overlay memberof
memberof-group-oc inetOrgPerson
memberof-member-ad manager
memberof-memberof-ad owner
memberof-refint true
memberof-dangling error
I pointed from one inetOrgPerson object by attribute manager to another
there this should be shown as "owner". For the latter I created a
AUXILIARY objectclass to include the owner attribute to the
inetOrgPerson object. But memberof-memberof-ad does not work - it is
still memberOf and mot owner.
Here is the dump (I removed some attributes like creatersname etc.):
dn: dc=my-domain,dc=com
objectClass: dcObject
objectClass: domain
dc: my-domain
dn: ou=humans,dc=my-domain,dc=com
objectClass: organizationalUnit
objectClass: top
ou: humans
dn: ou=accounts,dc=my-domain,dc=com
objectClass: organizationalUnit
objectClass: top
ou: accounts
dn: uid=fa770001,ou=accounts,dc=my-domain,dc=com
gidNumber: 9000
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
uidNumber: 9000
uid: fa770001
homeDirectory: /home/fa770001
cn: Max Mustermann
sn: Mustermann
manager: employeeNumber=0001,ou=humans,dc=my-domain,dc=com
dn: employeeNumber=0001,ou=humans,dc=my-domain,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: personAddon
employeeNumber: 0001
sn: Mustermann
cn: Max Mustermann
memberOf: cn=users2,ou=groups,dc=my-domain,dc=com
memberOf: uid=fa770002,ou=accounts,dc=my-domain,dc=com
memberOf: uid=fa770001,ou=accounts,dc=my-domain,dc=com
dn: ou=groups,dc=my-domain,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups
dn: cn=users1,ou=groups,dc=my-domain,dc=com
objectClass: groupOfNames
objectClass: top
cn: users1
member: employeeNumber=0002,ou=humans,dc=my-domain,dc=com
dn: employeeNumber=0002,ou=humans,dc=my-domain,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: personAddon
employeeNumber: 0002
sn: Hermann
cn: Heinz Hermann
memberOf: cn=users1,ou=groups,dc=my-domain,dc=com
dn: uid=fa770002,ou=accounts,dc=my-domain,dc=com
gidNumber: 9001
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
uidNumber: 9001
uid: fa770002
homeDirectory: /home/fa770002
sn: Hermann
cn: Heinz Hermann
manager: employeeNumber=0001,ou=humans,dc=my-domain,dc=com
dn: cn=users2,ou=groups,dc=my-domain,dc=com
objectClass: groupOfNames
objectClass: top
cn: users2
member: employeeNumber=0001,ou=humans,dc=my-domain,dc=com
And here is a ldapsearch for employeeNumber=0001, who is a member of
cn=users2,ou=groups and a manager in uid=fa770001ou=accounts
and uid=fa770002,ou=accounts - but the two memberof overlays both
effectively use the default memberof-memberof-ad memberOf attribute.
# 0001, humans, my-domain.com
dn: employeeNumber=0001,ou=humans,dc=my-domain,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: personAddon
employeeNumber: 0001
sn: Mustermann
cn: Max Mustermann
structuralObjectClass: inetOrgPerson
entryUUID: ee628de6-8d8c-102f-9f77-3d86f090c509
creatorsName: cn=Manager,dc=my-domain,dc=com
createTimestamp: 20101126094021Z
memberOf: cn=users2,ou=groups,dc=my-domain,dc=com
memberOf: uid=fa770002,ou=accounts,dc=my-domain,dc=com
memberOf: uid=fa770001,ou=accounts,dc=my-domain,dc=com
modifiersName: cn=Manager,dc=my-domain,dc=com
entryCSN: 20101126112349.873160Z#000000#000#000000
modifyTimestamp: 20101126112349Z
entryDN: employeeNumber=0001,ou=humans,dc=my-domain,dc=com
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE
Is there something, I did wrong?
Marc