On Aug 12, 2013, at 2:26 PM, Morgan Jones <morgan(a)morganjones.org> wrote:
I have a client running CentOS directory 8.2.8, CentOS 5. We have a two multi-masters
with two read-only replicas.
We enabled the memberof plugin and it shows group memberships unreliably at best. Is
this a known issue or I am perhaps missing something?
For example:
ldapsearch -x -w pass -H
ldaps://devldapm01.domain.net -D cn=directory\ manager -LLLb
ou=groups,dc=domain,dc=org cn=orgfulladminaccess
dn: cn=orgfulladminaccess,ou=groups,dc=domain,dc=org
uniqueMember: uid=rfw,ou=employees,dc=domain,dc=org
uniqueMember: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
uniqueMember: uid=sathomas,ou=employees,dc=domain,dc=org
uniqueMember: uid=rbateman,ou=employees,dc=domain,dc=org
uniqueMember: uid=kacless,ou=employees,dc=domain,dc=org
uniqueMember: uid=selectivesync,ou=employees,dc=domain,dc=org
uniqueMember: uid=cverrill,ou=employees,dc=domain,dc=org
uniqueMember: uid=morgan,ou=employees,dc=domain,dc=org
uniqueMember: uid=fullAdminAccessUser,ou=people,dc=domain,dc=org
objectClass: top
objectClass: groupofuniquenames
description: Group with full administrator access.
cn: orgFullAdminAccess
anderson:~ morgan$
Notice that just two users are returned when I search for
memberof=cn=orgfulladminaccess...
anderson:~ morgan$ ldapsearch -x -w pass -H
ldaps://devldap01.domain.net -D
cn=directory\ manager -LLLb dc=domain,dc=org
memberof=cn=orgfulladminaccess,ou=groups,dc=domain,dc=org dn
dn: uid=kacless,ou=employees,dc=domain,dc=org
dn: uid=morgan,ou=employees,dc=domain,dc=org
anderson:~ morgan$ ldapsearch -x -w pass -H
ldaps://devldapm01.domain.net -D
cn=directory\ manager -LLLb dc=domain,dc=org
memberof=cn=orgfulladminaccess,ou=groups,dc=domain,dc=org dn
dn: uid=kacless,ou=employees,dc=domain,dc=org
dn: uid=morgan,ou=employees,dc=domain,dc=org
I did consider this possibility but I struggle to believe that I have to set up partial
replication throughout just to get memberof working:
http://www.redhat.com/archives/fedora-directory-users/2009-November/msg00...
Here's the config on all four hosts;
Masters:
anderson:~ morgan$ ldapsearch -x -w pass -H
ldaps://devldapm01.domain.net -D
cn=directory\ manager -LLLb cn=config cn=memberof\ plugin
dn: cn=MemberOf Plugin,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: MemberOf Plugin
nsslapd-pluginPath: libmemberof-plugin
nsslapd-pluginInitfunc: memberof_postop_init
nsslapd-pluginType: postoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
memberofgroupattr: uniqueMember
memberofattr: memberOf
nsslapd-pluginId: memberof
nsslapd-pluginVersion: 8.2.8
nsslapd-pluginVendor: CentOS
nsslapd-pluginDescription: memberof plugin
anderson:~ morgan$ ldapsearch -x -w pass -H
ldaps://devldapm02.domain.net -D
cn=directory\ manager -LLLb cn=config cn=memberof\ plugin
dn: cn=MemberOf Plugin,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: MemberOf Plugin
nsslapd-pluginPath: libmemberof-plugin
nsslapd-pluginInitfunc: memberof_postop_init
nsslapd-pluginType: postoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
memberofgroupattr: uniqueMember
memberofattr: memberOf
nsslapd-pluginId: memberof
nsslapd-pluginVersion: 8.2.8
nsslapd-pluginVendor: CentOS
nsslapd-pluginDescription: memberof plugin
anderson:~ morgan$
read-only consumers:
anderson:~ morgan$ ldapsearch -x -w pass -H
ldaps://devldap01.domain.net -D
cn=directory\ manager -LLLb cn=config cn=memberof\ plugin
dn: cn=MemberOf Plugin,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: MemberOf Plugin
nsslapd-pluginPath: libmemberof-plugin
nsslapd-pluginInitfunc: memberof_postop_init
nsslapd-pluginType: postoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
memberofgroupattr: uniquemember
memberofattr: memberOf
nsslapd-pluginId: memberof
nsslapd-pluginVersion: 8.2.8
nsslapd-pluginVendor: CentOS
nsslapd-pluginDescription: memberof plugin
anderson:~ morgan$ ldapsearch -x -w pass -H
ldaps://devldap02.domain.net -D
cn=directory\ manager -LLLb cn=config cn=memberof\ plugin
dn: cn=MemberOf Plugin,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: MemberOf Plugin
nsslapd-pluginPath: libmemberof-plugin
nsslapd-pluginInitfunc: memberof_postop_init
nsslapd-pluginType: postoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
memberofgroupattr: uniquemember
memberofattr: memberOf
nsslapd-pluginId: memberof
nsslapd-pluginVersion: 8.2.8
nsslapd-pluginVendor: CentOS
nsslapd-pluginDescription: memberof plugin
anderson:~ morgan$
thanks,
-morgan
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
I am almost positive that fractional replication is required for that plugin.
Anything in logs about unwilling to perform?
The whole "unreliable at best" comment makes me think the new entries will work
but not existing. Is this true?
For existing entries, did you run the fix-up task mentioned in the link below?