Ldap – How to update the memberOf attributes of existing objects after adding the OpenLDAP Reverse Group Membership Maintenance overlay

ldapopenldap

This is a follow-up to this question: I added the memberof overlay to an existing OpenLDAP 2.4 server. Now I want to update the existing user objects.

For new group memberships, the memberOf attribute is updated correctly. But I have a bunch of existing groups which aren't updated automatically. I could remove all users from their groups and re-add them to make sure these entries are in sync. Since this is a Univention Corporate Server which does a lot of magic when you modify the LDAP, I don't want to risk breaking my directory.

Is there a way to trick the overlay to update these operational attributes?

Best Answer

The only time when the memberOf overlay will be activated is if you modify a member in a group. So, the only way to "trick" it into updating the memberOf attributes would indeed be to remove all users from their groups and re-add them, as you suggested.

An alternative would be to use an external tool to synchronize groups and their members's entries.

You could write your own script for this - something along the lines of "for each group, read the members, for each member, run a LDAP "modify" operation to "add" a value to the memberOf attribute of that member's entry.

Or, probably more reliable, you could use a tool like LSC (LDAP Synchronization Connector) which has pretty much everything already done: you just need to configure the mapping you want. The trick with LSC is to use the same LDAP server as both source and destination, and running through all users to make sure that the memberOf attribute contains the list of groups that results from searching all groups for member=. The LSC website has a tutorial to do this, sort of, but it's a bit outdated.

Related Solutions

Ldap – How to configure Reverse Group Membership Maintenance on an openldap server? (memberOf)

I've been struggling with the same thing, the openldap documentation is minimalist and hardly helpful at all. When they went over to a config database (not a bad idea in principle) all the options changed so when people are giving example from /etc/ldap/slapd.conf it is useless with a modern slapd config (such as Ubuntu).

I finally got this working. Here's the summary... first LDIF file:

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: memberof

Second LDIF file:

dn: olcOverlay=memberof,olcDatabase={1}hdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf

Add them into the config database using ldapadd (same as normal config stuff).

It does not automatically update the existing data in the database, so I needed to use slapcat to copy everything out into a temporary file, and visit each group, delete the group and add the same group back in again (forces the memberOf attributes to update correctly). If you are starting with an empty database, then it will correctly update the attributes as objects are added.

Also, note that "olcDatabase={1}hdb" is very typical, but not guaranteed to match your setup. Be sure to check that one.

Ldap – OpenLDAP memberOf attribute is not updated after group update

It sounds like you may need to configure the refint overlay, which helps to maintain a directory's referential integrity in situations such as that which you described. There is a page at http://www.zarafa.com/wiki/index.php/OpenLDAP_referential_integrity which may be helpful towards setting up this overlay.

Best Answer

Related Solutions

Ldap – How to configure Reverse Group Membership Maintenance on an openldap server? (memberOf)

Ldap – OpenLDAP memberOf attribute is not updated after group update

Related Topic