[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
questions about memberof-refint option
Hi,
I'm playing with memberof overlay. For my tests, I use the default
database (numbered 1) from slapd installation with suffix dc=nodomain.
The tests are running on debian jessie 8.2 and slapd version
2.4.40+dfsg-1
Activating the module in cn=module entry and activating the overlay for
the database, I have something that works like (I think) it should. I
mean adding a user (attribute member) in a group creates an attribute
memberOf for the user and deleting a user from the group deletes the
user's memberOf attribute. That's great.
There is nothing special configured.
# Entrée 1: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
objectclass: olcConfig
objectclass: olcOverlayConfig
objectclass: olcMemberOf
objectclass: top
olcoverlay: {0}memberof
Reading the man page, I saw memberof-refint option. From what I
understand, when set to true, you can alter the user's "is member of"
attribute and that would be reflected in the group's "member" attribute.
Right ?
But, the member attribute is an operational attribute and can't be
modified. So I started to search for an alternative and found the
eduMember schema from here
https://spaces.internet2.edu/display/macedir/OpenLDAP+eduMember. Once
added to the installation I could use it for objects. It adds isMemberOf
and hasMember attributes that can be setable for users and groups. But
can't make it work with memberof overlay. When trying to add isMemberOf
as memberof-memberof-ad it was rejected with
member attribute=”isMemberOf” must either have DN
(1.3.6.1.4.1.1466.115.121.1.12) or nameUID
(1.3.6.1.4.1.1466.115.121.1.34) syntax
And the same error was reported with hasMember as memberof-member-ad.
To make it work together I modified the attribute's definitions and
reimported them to openldap. So I can now set isMemberOf as
memberof-memberof-ad and the same for hasMember as memberof-member-ad.
The configuration then was like this
# Entrée 1: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
objectclass: olcConfig
objectclass: olcOverlayConfig
objectclass: olcMemberOf
objectclass: top
olcmemberofmemberofad: isMemberOf
olcoverlay: {0}memberof
Now that works like (I think) it should. I mean adding a user (attribute
member) in a group creates an attribute isMemberOf for the user and
deleting a user from the group deletes the user's isMemberOf attribute.
That's great.
isMemberOf is a modifiable attribute so it's time to test the
memberof-refint and set it to TRUE
# Entrée 1: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
objectclass: olcConfig
objectclass: olcOverlayConfig
objectclass: olcMemberOf
objectclass: top
olcmemberofmemberofad: isMemberOf
olcmemberofrefint: TRUE
olcoverlay: {0}memberof
And this is where things do not work. I mean what was working before is
still working. If I add a member in a group an atttribute isMemberOf is
created for the user. But if I add a second attribute isMemberOf with a
second group, no new member is created on the second group. And if I
delete the attribute isMemberOf from the user's entry, it is still
visible on the group.
Does anybody have any idea why the modifications made on the user (with
the deletion of isMemberOf) are not applied to the group ? Is there
something I'm doing wrong ?
Thanks.
--
------------
M. P.