Not able to add memberOf overlay openldap 2.3.9

openldap

I am currently working on integrating LDAP authentication into a system and I would like to restrict access based on LDAP group. The only way to do this is via a search filter and therefore I believe my only option to be the use of the memberOf attribute in my search filter. It is my understanding that the memberOf attribute is an operational attribute which can be created by the server for me anytime a new member attribute is created for any groupOfNames entry on the server. My main goal is to be able to add a member attribute to an existing groupOfNames entry and have a matching memberOf attribute be added to the DN I provide

I am working on OpenLDAP version 2.3.9. I know that version 2.4.31 is the latest, but it has a BerkeleyDB version dependency which i cannot update, hence I have to stick to version 2.3.9.

I have setup OpenLDAP the way it was described in the OpenLDAP guide and i am able to start the server. Now I am trying to add memberOf overlay to the config database.
I added the following to slapd.conf:

database config
rootdn "cn=config"
rootpw secret

and i created a ldif file for memberOf:

dn: cn=module,cn=config
cn: module
objectclass: olcModuleList
objectclass: top
olcmoduleload: memberof.la
olcmodulepath: "path"

dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof

and I am trying to add this overlay using command:

ldapadd -x -h "host" -p "port -D "cn=config" -f memberOf.ldif -w secret

I am getting the following error:

ldapadd: Internal (implementation specific) error (80)
    additional info: <olcModuleLoad> handler exited with 1

I have the following questions:

Can we add overlays in versions less than 2.3?
I read that we need to use -y EXTERNAL in ldapadd command

I get the following error doing so:
```
ldapadd: incompatible with authentication choice
```

Can someone tell what i am doing wrong? There are a lot of scattered resources which i tried but all end me up with the oclModuleLoad error.

Best Answer

It is my understanding that the memberOf attribute is an operational attribute which can be created by the server for me anytime a new member attribute is created for any groupOfNames entry on the server.

If you configure it that way. You haven't finished the configuration. You need to specify what attributes and objectClasses the overlay is going to maintain the memberOf attribute for. You're going to need something like this, adapted for your own needs:

olcMemberOfDangling ignore
olcMemberOfGroupOC  groupOfNames
olcMemberOfMemberAD member
olcMemberOfMemberOfAD   memberOf
olcMemberOfRefInt   TRUE

in addition to what you already have.

Related Solutions

OpenLDAP – Configure Reverse Group Membership Maintenance (memberOf)

I've been struggling with the same thing, the openldap documentation is minimalist and hardly helpful at all. When they went over to a config database (not a bad idea in principle) all the options changed so when people are giving example from /etc/ldap/slapd.conf it is useless with a modern slapd config (such as Ubuntu).

I finally got this working. Here's the summary... first LDIF file:

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: memberof

Second LDIF file:

dn: olcOverlay=memberof,olcDatabase={1}hdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf

Add them into the config database using ldapadd (same as normal config stuff).

It does not automatically update the existing data in the database, so I needed to use slapcat to copy everything out into a temporary file, and visit each group, delete the group and add the same group back in again (forces the memberOf attributes to update correctly). If you are starting with an empty database, then it will correctly update the attributes as objects are added.

Also, note that "olcDatabase={1}hdb" is very typical, but not guaranteed to match your setup. Be sure to check that one.

Ldap – How to update the memberOf attributes of existing objects after adding the OpenLDAP Reverse Group Membership Maintenance overlay

The only time when the memberOf overlay will be activated is if you modify a member in a group. So, the only way to "trick" it into updating the memberOf attributes would indeed be to remove all users from their groups and re-add them, as you suggested.

An alternative would be to use an external tool to synchronize groups and their members's entries.

You could write your own script for this - something along the lines of "for each group, read the members, for each member, run a LDAP "modify" operation to "add" a value to the memberOf attribute of that member's entry.

Or, probably more reliable, you could use a tool like LSC (LDAP Synchronization Connector) which has pretty much everything already done: you just need to configure the mapping you want. The trick with LSC is to use the same LDAP server as both source and destination, and running through all users to make sure that the memberOf attribute contains the list of groups that results from searching all groups for member=. The LSC website has a tutorial to do this, sort of, but it's a bit outdated.

Best Answer

Related Solutions

OpenLDAP – Configure Reverse Group Membership Maintenance (memberOf)

Ldap – How to update the memberOf attributes of existing objects after adding the OpenLDAP Reverse Group Membership Maintenance overlay

Related Topic