I'm not sure what version we were starting on at the time, but back when we
first tried it we didn't have any results with the fixup-memberof.pl
script. No errors, just didn't appear to do anything.
However, we worked around this by just going into any group that a given
user was in, removing them from the group, then adding them, and just this
one change for the user caused memberOf plugin to rebuild their entire
group membership into memberOf values for all groups they were in (and
going forward memberOf has always worked right away because it was already
enabled from that point forward). We just had to repeat this once for each
then-existing user, and since then everything has "just worked".
On Tue, Jul 15, 2014 at 7:15 PM, Noriko Hosoi <nhosoi(a)redhat.com> wrote:
Alberto,
Alberto Viana wrote:
Noriko,
Changing that config, if I remove and add again the user in a group
worked....but the fixup-memberof.pl didn't.
I'm not sure why. The fix=memberof.pl is supposed to do the following
task.
* 1. Remove all present memberOf values
* 2. Add direct group membership memberOf values
* 3. Add indirect group membership memberOf values
The default filter the utility uses is
"(|(objectclass=inetuser)(objectclass=inetadmin))".
If you run ldapsearch -x -D "cn=Directory Manager" -w - -b
"OU=my,dc=mydc,dc=local"
"(|(objectclass=inetuser)(objectclass=inetadmin))", what does the command
line return?
Is there any easy way to update this info on all users?
Another question:
Should I always change this parameter?
As long as your group entry is groupofuniquenames, yes, you need to.
I'm asking that because I'm planning to update my 389 to a newer version
(due to a db2bak.pl problem that was fixed in this newer version)
Alberto Viana
On Thu, Jul 10, 2014 at 5:16 PM, Noriko Hosoi <nhosoi(a)redhat.com> wrote:
> Alberto,
>
> Alberto Viana wrote:
>
> Noriko,
>
> dn: uid=alberto.viana,ou=IT,dc=mydc,dc=local
> objectClass: top
> objectClass: person
> objectClass: organizationalperson
> objectClass: inetOrgPerson
> objectClass: ntUser
> objectClass: eduPerson
> objectClass: brPerson
> objectClass: schacPersonalCharacteristics
> objectClass: pwmUser
> objectClass: inetuser
> ntUserLastLogoff: 0
> ntUserDeleteAccount: true
> uid: alberto.viana
> sn: Viana
> givenName: Alberto
> cn: Alberto Viana
>
>
> dn: cn=GRP_SRV_WIKI_CONFLUENCE,OU=GROUPS,dc=mydc,dc=local
> *uniqueMember: uid=alberto.viana,ou=IT,dc=mydc,dc=local*
> objectClass: top
> objectClass: groupofuniquenames
> objectClass: ntGroup
> ntGroupDeleteGroup: true
> cn: GRP_SRV_WIKI_CONFLUENCE
> ntUserDomainId: GRP_SRV_WIKI_CONFLUENCE
>
> Could you try again after replacing the memberofgroupattr value member
> with uniqueMember?
>
> Here's my plugin config:
> # MemberOf Plugin, plugins, config
> dn: cn=MemberOf Plugin,cn=plugins,cn=config
> objectClass: top
> objectClass: nsSlapdPlugin
> objectClass: extensibleObject
> cn: MemberOf Plugin
> nsslapd-pluginPath: libmemberof-plugin
> nsslapd-pluginInitfunc: memberof_postop_init
> nsslapd-pluginType: betxnpostoperation
> nsslapd-pluginEnabled: on
> nsslapd-plugin-depends-on-type: database
> memberofgroupattr: *member*
> memberofattr: memberOf
> nsslapd-pluginId: memberof
> nsslapd-pluginVersion: 1.3.2.13
> nsslapd-pluginVendor: 389 Project
> nsslapd-pluginDescription: memberof plugin
>
>
>
>
>
>
> If you need something else, just let me know.
>
>
>
> On Thu, Jul 10, 2014 at 4:54 PM, Noriko Hosoi <nhosoi(a)redhat.com> wrote:
>
>> Alberto,
>>
>> Alberto Viana wrote:
>>
>> Noriko,
>>
>> Just to let you know that was a totally fresh instalation and I
>> imported my userRoot database, so I dont think so.
>>
>> It was a question from Mark :), but thanks for your response. So, you
>> don't get any particular errors or warnings in your error log... Would you
>> mind sharing a typical user and a group entry? Of course you could cleanse
>> the "name" part.
>>
>>
>> Here's my plugin config:
>> # MemberOf Plugin, plugins, config
>> dn: cn=MemberOf Plugin,cn=plugins,cn=config
>> objectClass: top
>> objectClass: nsSlapdPlugin
>> objectClass: extensibleObject
>> cn: MemberOf Plugin
>> nsslapd-pluginPath: libmemberof-plugin
>> nsslapd-pluginInitfunc: memberof_postop_init
>> nsslapd-pluginType: betxnpostoperation
>> nsslapd-pluginEnabled: on
>> nsslapd-plugin-depends-on-type: database
>> memberofgroupattr: member
>> memberofattr: memberOf
>> nsslapd-pluginId: memberof
>> nsslapd-pluginVersion: 1.3.2.13
>> nsslapd-pluginVendor: 389 Project
>> nsslapd-pluginDescription: memberof plugin
>>
>>
>> I have 2 389DS with this version (replication enabled), the same
>> behavior in both.
>>
>> Thanks
>>
>>
>>
>> On Thu, Jul 10, 2014 at 4:29 PM, Mark Reynolds <mareynol(a)redhat.com>
>> wrote:
>>
>>>
>>> On 07/10/2014 02:35 PM, Alberto Viana wrote:
>>>
>>> Noriko,
>>>
>>> =====================
>>> # fixup-memberof.pl -D "cn=Directory Manager" -w - -b
>>> "OU=my,dc=mydc,dc=local"
>>> Bind Password:
>>> Successfully added task entry "cn=memberOf_fixup_2014_7_10_15_25_29,
>>> cn=memberOf task, cn=tasks, cn=config"
>>> =====================
>>>
>>> It Removed all memberof entries for my user...is the expected
>>> behavior?
>>>
>>> Even if remove the user from a group and add it again, its not
>>> working.
>>>
>>> Thanks
>>>
>>> Can you verify your memberOf settings are still
>>> correct(memberofgroupattr, etc)? Maybe something got overwritten during
>>> the upgrade?
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Thu, Jul 10, 2014 at 3:20 PM, Noriko Hosoi <nhosoi(a)redhat.com>
>>> wrote:
>>>
>>>> What happens if you run this utility?
>>>> /usr/lib[64]/dirsrv/slapd-YOURID/fixup-memberof.pl
>>>>
>>>>
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9....
>>>>
>>>> Then, continue updating your user in a group?
>>>> Thanks,
>>>> --noriko
>>>>
>>>> Alberto Viana wrote:
>>>>
>>>> Hi,
>>>>
>>>> 389-Directory/1.3.2.13 B2014.141.1513
>>>>
>>>> I recently updated my server to 1.3.2.13 and the "memberof"
plugin
>>>> is not working as expected, it's not updating my user
"memberOf" attribute
>>>> whe I put a user in a group.
>>>>
>>>> How can I debug it?
>>>>
>>>> I tried to set my nsslapd-errorlog-level to 65536 but could not find
>>>> any useful information.
>>>>
>>>>
>>>> Thanks
>>>>
>>>> Alberto Viana
>>>>
>>>>
>>>> --
>>>> 389 users mailing
list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>
>>>>
>>>>
>>>> --
>>>> 389 users mailing list
>>>> 389-users(a)lists.fedoraproject.org
>>>>
https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>
>>>
>>>
>>>
>>> --
>>> 389 users mailing
list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
>>>
>>>
>>>
>>> --
>>> 389 users mailing list
>>> 389-users(a)lists.fedoraproject.org
>>>
https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>
>>
>>
>>
>> --
>> 389 users mailing
list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>>
>>
>> --
>> 389 users mailing list
>> 389-users(a)lists.fedoraproject.org
>>
https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>
>
>
> --
> 389 users mailing
list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
> --
> 389 users mailing list
> 389-users(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/389-users
>
--
389 users mailing
list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users