I've been struggling with the same thing, the openldap documentation is minimalist and hardly helpful at all. When they went over to a config database (not a bad idea in principle) all the options changed so when people are giving example from /etc/ldap/slapd.conf it is useless with a modern slapd config (such as Ubuntu).
I finally got this working. Here's the summary... first LDIF file:
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: memberof
Second LDIF file:
dn: olcOverlay=memberof,olcDatabase={1}hdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
Add them into the config database using ldapadd (same as normal config stuff).
It does not automatically update the existing data in the database, so I needed to use slapcat to copy everything out into a temporary file, and visit each group, delete the group and add the same group back in again (forces the memberOf attributes to update correctly). If you are starting with an empty database, then it will correctly update the attributes as objects are added.
Also, note that "olcDatabase={1}hdb" is very typical, but not guaranteed to match your setup. Be sure to check that one.
The only time when the memberOf
overlay will be activated is if you modify a member in a group. So, the only way to "trick" it into updating the memberOf
attributes would indeed be to remove all users from their groups and re-add them, as you suggested.
An alternative would be to use an external tool to synchronize groups and their members's entries.
You could write your own script for this - something along the lines of "for each group, read the members, for each member, run a LDAP "modify" operation to "add" a value to the memberOf attribute of that member's entry.
Or, probably more reliable, you could use a tool like LSC (LDAP Synchronization Connector) which has pretty much everything already done: you just need to configure the mapping you want. The trick with LSC is to use the same LDAP server as both source and destination, and running through all users to make sure that the memberOf attribute contains the list of groups that results from searching all groups for member=. The LSC website has a tutorial to do this, sort of, but it's a bit outdated.
Best Answer
As you already noted some OpenLDAP overlays bring their own LDAP schema descriptions hard-coded in the overlay's C code and that might conflict with schema descriptions in the config file (aka slapd.conf) or config database (aka cn=config).
In this particular case it's not a big problem because the OID and the NAME matches excactly what slapo-memberof will install. So you can safely just remove the attribute type description for memberOf you currently have in the schema. (I guess you've imported that during a LDAP server migration from another vendor.)
Do not add memberOf to your object classes. If slapo-memberof is correctly configured (on all replicas!) it will maintain the attribute values.
When changing your schema and doing migrations I'd also recommand to use command-line tool slapschema to check whether the current database content still matches the schema descriptions.