If you had your users and groups created before enabling memberOf, you'll
need to modify their group membership (per user, easiest would be to add
all to a temporary group then remove the group after memberOf populates) to
trigger memberOf creation. It only gets set on changes, and won't
autogenerate for existing memberships until a change occurs. It WILL
regenerate all memberships even if you change just one, so you can just
throw everyone into a group as I said to trigger it. There was a script in
some FDS / 389DS howto someplace that was supposed to background trigger
it, but I never got it to work.
On Tue, Sep 3, 2013 at 3:47 PM, Andy <racingyacht1(a)gmail.com> wrote:
Hi Rich,****
I had added the inetUser objectclass on the test cases of groups that
failed. I was wondering if I had incorrectly configured arguments of the
memberOf plugin. I will read the documentation again.****
** **
I should be done rebuilding my instance of 389 in an hour or so. ****
** **
*From:* Rich Megginson [mailto:rmeggins@redhat.com]
*Sent:* 03 September 2013 20:47
*To:* Andy
*Cc:* 'General discussion list for the 389 Directory server project.'
*Subject:* Re: [389-users] Membership of Roles****
** **
On 09/03/2013 01:22 PM, Andy wrote:****
Hi Rich,****
I am having the same problem with groups, so I am wondering if I have
groups configured correctly. Especially the configuration of the memberOf
plugin. ****
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Serv...
Especially this part: ****
6.1.4.2. Object Classes Which Support memberof Attributes****
The most common people object classes — such as inetorgperson and person— do not allow
the
*memberOf* attribute. To allow the MemberOf Plug-in to add the *memberOf*attribute to a
user entry, make sure that that entry belongs to the
inetUser object class, which does allow the *memberOf* attribute. ****
Similarly, if an attribute other than *memberOf* is used in the user
entry, then make sure that the user entry belongs to an object class that
allows that attribute. ****
****
I’m in the process of reconfiguring my instance of ldap, as it was
misbehaving after I tried out various configuration to get roles and groups
to work. ****
****
*From:* Rich Megginson [mailto:rmeggins@redhat.com <rmeggins(a)redhat.com>]
*Sent:* 03 September 2013 14:48
*To:* General discussion list for the 389 Directory server project.
*Cc:* Andy
*Subject:* Re: [389-users] Membership of Roles****
****
On 09/01/2013 05:50 AM, Andy wrote:****
Please find additional information on the configuration of the blog system
****
****
My configuration:****
****
AuthenticationModule LDAP****
LDAPAuthURL ldap://xxxxx:389/dc=sf4u,dc=com?mail****
LDAPAuthBindDN cn=Directory Manager (will replace with application user
account once phase one integration is completed)****
LDAPAuthPassword xxxxxx****
LDAPAuthSASLMechanism PLAIN (note SSL not yet configured)****
ExternalUserManagement 1****
ExternalGroupManagement 1****
ExternalUserSyncFrequency 60****
LDAPGroupNameAttribute cn****
LDAPGroupIdAttribute nsUniqueId****
LDAPGroupFullNameAttribute cn****
LDAPGroupMemberAttribute memberof****
LDAPGroupSearchBase ou=customers,dc=xxx,dc=com****
LDAPGroupFilter (objectclass=ldapSubEntry)****
LDAPUserIdAttribute uid****
LDAPUserEmailAttribute mail****
LDAPUserFullNameAttribute cn****
LDAPUserGroupMemberAttribute nsrole****
I think this is going to be problematic, and may not work at all. With
groups, there is an actual group entry, which lists all of the members.
With roles, the role entry does not list all of the members. So a query
like
SRCH base="ou=customers,dc=xxxx,dc=com" scope=2
filter="(&(|(member=cn=xxxxrolecommentertest,ou=customers,dc=xxxx,dc=com))(objectClass=ldapSubEntry))"
will not work because there is no role entry which lists it's members in a
"member" attribute.
If you can configure it to search all of the users, you might be able to
do a search like
SRCH base="ou=customers,dc=xxxx,dc=com" scope=2
filter="(nsRole=cn=xxxxrolecommentertest,ou=customers,dc=xxxx,dc=com)"
Roles will automatically populate each user's entry with the nsRole
attribute. This attribute lists all of the roles to which that user
belongs. nsRole is an operational attribute, so you must explicitly
request it on the command line if you want to see it (e.g. in an ldapsearch
command).
****
****
The default settings for OpenLDAP installations are:****
*Stage 1*****
* *****
*Authentication URL*****
ldap://<FQDN of LDAP server>:389/dc=xxxx,dc=com?mail****
*Authentication DN*****
*Authentication Password*****
Password ****
*Test Username*****
Test email address****
*Test Password*****
Password for test user****
****
****
*Stage 2*****
* *****
Group Search Base Attribute****
dc=xxx,dc=com****
Group Filter Attribute****
(objectClass=groupOfUniqueNames)****
****
****
*Attributes*****
*OpenLDAP*****
User ID Attribute****
entryUUID****
Email Attribute****
mail****
User Fullname Attribute****
cn****
User Member Attribute****
uid****
GroupID Attribute****
entryUUID****
Group Name Attribute****
cn****
Group Fullname Attribute****
cn****
Group Member Attribute****
memberUid****
****
****
*From:* Andy [mailto:racingyacht1@gmail.com <racingyacht1(a)gmail.com>]
*Sent:* 31 August 2013 13:43
*To:* '389-users(a)lists.fedoraproject.org'
*Subject:* Membership of Roles****
****
Hello****
I am testing integration of 389-ds with a blogging system. I plan to use
roles instead of groups to automatically give users rights to service on
the blog system. However, I am having problems with the system identifying
members of roles. I need help with defining the correct search parameters
to identify which roles a uid or cn is a member of.****
****
From within the blog system I’m using LDAPGroupFilter
(objectclass=ldapSubEntry) to list the roles. The roles list correctly as
groups within the blog system. ****
From within 389 the members of roles are configured as filtered, and I can
see the configured members using the Directory Server GUI.****
****
The blog system is not identifying members of roles when it does its
search against 389. Note, users can log into the blog system using the
accounts created on 389. I don’t think I am applying the correct search
criteria to identify group membership. I need advice on creation of the
correct search criteria for membership of roles/groups. ****
****
****
Sample log from access****
****
[31/Aug/2013:11:09:39 +0100] conn=265 op=0 BIND dn="cn=Directory Manager"
method=128 version=3****
[31/Aug/2013:11:09:39 +0100] conn=265 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn="cn=directory manager"****
[31/Aug/2013:11:09:39 +0100] conn=265 op=1 SRCH base="dc=xxxx,dc=com"
scope=2 filter="(&(mail=testuser16(a)xxxx.com)(objectClass=*))"
attrs="distinguishedName"****
[31/Aug/2013:11:09:39 +0100] conn=265 op=1 RESULT err=0 tag=101 nentries=1
etime=0****
[31/Aug/2013:11:09:39 +0100] conn=265 op=2 BIND
dn="uid=1000016,ou=Customers,dc=xxxx,dc=com" method=128 version=3****
[31/Aug/2013:11:09:39 +0100] conn=265 op=2 RESULT err=0 tag=97 nentries=0
etime=0 dn="uid=1000016,ou=customers,dc=xxxx,dc=com"****
[31/Aug/2013:11:09:39 +0100] conn=265 op=3 BIND dn="cn=Directory Manager"
method=128 version=3****
[31/Aug/2013:11:09:39 +0100] conn=265 op=3 RESULT err=0 tag=97 nentries=0
etime=0 dn="cn=directory manager"****
[31/Aug/2013:11:09:39 +0100] conn=265 op=4 SRCH base="dc=xxxx,dc=com"
scope=2 filter="(&(mail=testuser16(a)xxxx.com)(objectClass=*))"
attrs="uid
mail cn mail distinguishedName"****
[31/Aug/2013:11:09:39 +0100] conn=265 op=4 RESULT err=0 tag=101 nentries=1
etime=0****
[31/Aug/2013:11:09:39 +0100] conn=265 op=5 SRCH base="dc=xxxx,dc=com"
scope=2 filter="(|(uid=1000016))" attrs="nsRole"****
[31/Aug/2013:11:09:39 +0100] conn=265 op=5 RESULT err=0 tag=101 nentries=1
etime=0****
[31/Aug/2013:11:09:39 +0100] conn=265 op=6 SRCH
base="ou=customers,dc=xxxx,dc=com" scope=2
filter="(&(|(member=cn=xxxxrolecommentertest,ou=customers,dc=xxxx,dc=com))(objectClass=ldapSubEntry))"
attrs="cn cn member nsUniqueId"****
[31/Aug/2013:11:09:39 +0100] conn=265 op=6 RESULT err=0 tag=101 nentries=0
etime=0****
[31/Aug/2013:11:09:39 +0100] conn=265 op=7 UNBIND****
[31/Aug/2013:11:09:39 +0100] conn=265 op=7 fd=68 closed - U1****
****
****
****
--****
389 users mailing list****
389-users(a)lists.fedoraproject.org****
https://admin.fedoraproject.org/mailman/listinfo/389-users****
****
** **
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users