I have a client running CentOS directory 8.2.8, CentOS 5.  We have a two multi-masters with two read-only replicas.

We enabled the memberof plugin and it shows group memberships unreliably at best.  Is this a known issue or I am perhaps missing something?  

For example:

ldapsearch -x -w pass  -H ldaps://devldapm01.domain.net -D cn=directory\ manager -LLLb ou=groups,dc=domain,dc=org  cn=orgfulladminaccess
dn: cn=orgfulladminaccess,ou=groups,dc=domain,dc=org
uniqueMember: uid=rfw,ou=employees,dc=domain,dc=org
uniqueMember: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
uniqueMember: uid=sathomas,ou=employees,dc=domain,dc=org
uniqueMember: uid=rbateman,ou=employees,dc=domain,dc=org
uniqueMember: uid=kacless,ou=employees,dc=domain,dc=org
uniqueMember: uid=selectivesync,ou=employees,dc=domain,dc=org
uniqueMember: uid=cverrill,ou=employees,dc=domain,dc=org
uniqueMember: uid=morgan,ou=employees,dc=domain,dc=org
uniqueMember: uid=fullAdminAccessUser,ou=people,dc=domain,dc=org
objectClass: top
objectClass: groupofuniquenames
description: Group with full administrator access.
cn: orgFullAdminAccess

anderson:~ morgan$



Notice that just two users are returned when I search for memberof=cn=orgfulladminaccess...

anderson:~ morgan$ ldapsearch -x -w pass  -H ldaps://devldap01.domain.net -D cn=directory\ manager -LLLb dc=domain,dc=org  memberof=cn=orgfulladminaccess,ou=groups,dc=domain,dc=org dn
dn: uid=kacless,ou=employees,dc=domain,dc=org

dn: uid=morgan,ou=employees,dc=domain,dc=org

anderson:~ morgan$ ldapsearch -x -w pass  -H ldaps://devldapm01.domain.net -D cn=directory\ manager -LLLb dc=domain,dc=org  memberof=cn=orgfulladminaccess,ou=groups,dc=domain,dc=org dn
dn: uid=kacless,ou=employees,dc=domain,dc=org

dn: uid=morgan,ou=employees,dc=domain,dc=org


I did consider this possibility but I struggle to believe that I have to set up partial replication throughout just to get memberof working:

http://www.redhat.com/archives/fedora-directory-users/2009-November/msg00058.html



Here's the config on all four hosts;

Masters:

anderson:~ morgan$ ldapsearch -x -w pass  -H ldaps://devldapm01.domain.net -D cn=directory\ manager -LLLb cn=config cn=memberof\ plugin
dn: cn=MemberOf Plugin,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: MemberOf Plugin
nsslapd-pluginPath: libmemberof-plugin
nsslapd-pluginInitfunc: memberof_postop_init
nsslapd-pluginType: postoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
memberofgroupattr: uniqueMember
memberofattr: memberOf
nsslapd-pluginId: memberof
nsslapd-pluginVersion: 8.2.8
nsslapd-pluginVendor: CentOS
nsslapd-pluginDescription: memberof plugin

anderson:~ morgan$ ldapsearch -x -w pass  -H ldaps://devldapm02.domain.net -D cn=directory\ manager -LLLb cn=config cn=memberof\ plugin
dn: cn=MemberOf Plugin,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: MemberOf Plugin
nsslapd-pluginPath: libmemberof-plugin
nsslapd-pluginInitfunc: memberof_postop_init
nsslapd-pluginType: postoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
memberofgroupattr: uniqueMember
memberofattr: memberOf
nsslapd-pluginId: memberof
nsslapd-pluginVersion: 8.2.8
nsslapd-pluginVendor: CentOS
nsslapd-pluginDescription: memberof plugin

anderson:~ morgan$


read-only consumers:

anderson:~ morgan$ ldapsearch -x -w pass  -H ldaps://devldap01.domain.net -D cn=directory\ manager -LLLb cn=config cn=memberof\ plugin
dn: cn=MemberOf Plugin,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: MemberOf Plugin
nsslapd-pluginPath: libmemberof-plugin
nsslapd-pluginInitfunc: memberof_postop_init
nsslapd-pluginType: postoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
memberofgroupattr: uniquemember
memberofattr: memberOf
nsslapd-pluginId: memberof
nsslapd-pluginVersion: 8.2.8
nsslapd-pluginVendor: CentOS
nsslapd-pluginDescription: memberof plugin

anderson:~ morgan$ ldapsearch -x -w pass  -H ldaps://devldap02.domain.net -D cn=directory\ manager -LLLb cn=config cn=memberof\ plugin
dn: cn=MemberOf Plugin,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: MemberOf Plugin
nsslapd-pluginPath: libmemberof-plugin
nsslapd-pluginInitfunc: memberof_postop_init
nsslapd-pluginType: postoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
memberofgroupattr: uniquemember
memberofattr: memberOf
nsslapd-pluginId: memberof
nsslapd-pluginVersion: 8.2.8
nsslapd-pluginVendor: CentOS
nsslapd-pluginDescription: memberof plugin

anderson:~ morgan$


thanks,

-morgan

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users