[Date Prev][Date Next] [Chronological] [Thread] [Top]

memberOF overlay - memberof-memberof-ad



Hi,

I installed a openldap latest 2.4.23 with a basic database setup:

include		/etc/openldap/schema/core.schema
include		/etc/openldap/schema/cosine.schema
include		/etc/openldap/schema/inetorgperson.schema
include		/etc/openldap/schema/rfc2307bis.schema
include		/etc/openldap/schema/yast.schema
include		/etc/openldap/schema/personaddon.schema

loglevel config stats stats2

pidfile		/var/run/slapd/slapd.pid
argsfile	/var/run/slapd/slapd.args

modulepath	/usr/lib/openldap/modules
moduleload 	memberof.la
moduleload 	refint.la

access to dn.base=""
        by * read

access to dn.base="cn=Subschema"
        by * read

access to attrs=userPassword,userPKCS12
        by self write
        by * auth

access to attrs=shadowLastChange
        by self write
        by * read

access to *
        by * read

database	bdb
suffix		"dc=my-domain,dc=com"
checkpoint      1024    5
cachesize       10000
rootdn		"cn=Manager,dc=my-domain,dc=com"
rootpw		secret
directory	/var/lib/ldap
index	objectClass	eq
index uid,cn,mail,member,sn,manager eq

Then I included a standard memberof overlay config:

overlay memberof
memberof-group-oc groupOfNames
memberof-member-ad member
memberof-memberof-ad memberOf
memberof-refint true

This works fine (database population below).
After that I configured a second memberof overlay like this:

overlay memberof
memberof-group-oc inetOrgPerson
memberof-member-ad manager
memberof-memberof-ad owner
memberof-refint true
memberof-dangling error

I pointed from one inetOrgPerson object by attribute manager to another there this should be shown as "owner". For the latter I created a AUXILIARY objectclass to include the owner attribute to the inetOrgPerson object. But memberof-memberof-ad does not work - it is still memberOf and mot owner.

Here is the dump (I removed some attributes like creatersname etc.):

dn: dc=my-domain,dc=com
objectClass: dcObject
objectClass: domain
dc: my-domain

dn: ou=humans,dc=my-domain,dc=com
objectClass: organizationalUnit
objectClass: top
ou: humans

dn: ou=accounts,dc=my-domain,dc=com
objectClass: organizationalUnit
objectClass: top
ou: accounts

dn: uid=fa770001,ou=accounts,dc=my-domain,dc=com
gidNumber: 9000
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
uidNumber: 9000
uid: fa770001
homeDirectory: /home/fa770001
cn: Max Mustermann
sn: Mustermann
manager: employeeNumber=0001,ou=humans,dc=my-domain,dc=com

dn: employeeNumber=0001,ou=humans,dc=my-domain,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: personAddon
employeeNumber: 0001
sn: Mustermann
cn: Max Mustermann
memberOf: cn=users2,ou=groups,dc=my-domain,dc=com
memberOf: uid=fa770002,ou=accounts,dc=my-domain,dc=com
memberOf: uid=fa770001,ou=accounts,dc=my-domain,dc=com

dn: ou=groups,dc=my-domain,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups

dn: cn=users1,ou=groups,dc=my-domain,dc=com
objectClass: groupOfNames
objectClass: top
cn: users1
member: employeeNumber=0002,ou=humans,dc=my-domain,dc=com

dn: employeeNumber=0002,ou=humans,dc=my-domain,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: personAddon
employeeNumber: 0002
sn: Hermann
cn: Heinz Hermann
memberOf: cn=users1,ou=groups,dc=my-domain,dc=com

dn: uid=fa770002,ou=accounts,dc=my-domain,dc=com
gidNumber: 9001
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
uidNumber: 9001
uid: fa770002
homeDirectory: /home/fa770002
sn: Hermann
cn: Heinz Hermann
manager: employeeNumber=0001,ou=humans,dc=my-domain,dc=com

dn: cn=users2,ou=groups,dc=my-domain,dc=com
objectClass: groupOfNames
objectClass: top
cn: users2
member: employeeNumber=0001,ou=humans,dc=my-domain,dc=com

And here is a ldapsearch for employeeNumber=0001, who is a member of cn=users2,ou=groups and a manager in uid=fa770001ou=accounts and uid=fa770002,ou=accounts - but the two memberof overlays both effectively use the default memberof-memberof-ad memberOf attribute.

# 0001, humans, my-domain.com
dn: employeeNumber=0001,ou=humans,dc=my-domain,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: personAddon
employeeNumber: 0001
sn: Mustermann
cn: Max Mustermann
structuralObjectClass: inetOrgPerson
entryUUID: ee628de6-8d8c-102f-9f77-3d86f090c509
creatorsName: cn=Manager,dc=my-domain,dc=com
createTimestamp: 20101126094021Z
memberOf: cn=users2,ou=groups,dc=my-domain,dc=com
memberOf: uid=fa770002,ou=accounts,dc=my-domain,dc=com
memberOf: uid=fa770001,ou=accounts,dc=my-domain,dc=com
modifiersName: cn=Manager,dc=my-domain,dc=com
entryCSN: 20101126112349.873160Z#000000#000#000000
modifyTimestamp: 20101126112349Z
entryDN: employeeNumber=0001,ou=humans,dc=my-domain,dc=com
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE

Is there something, I did wrong?


Marc