On Wednesday, 5 May 2010 14:31:01 Stuart Cherrington wrote: > Hello again, > > Having successfully upgraded my LDAP install to 2.4.22 on Redhat 5.3 I've > been looking at use of the 'slapo-memberof' schema as provided by > openldap2.4-server package. > > The man page for slapo-memberof2.4 indicates I can use the 'memberof-dn' > directive.
This relates to it being used in your slapd configuration. However, the man page is quite clear in that this directive isn't *that* useful (only affects operational attributes). > So, I've updated my slapd.conf file to allow the 'moduleload > memberof.la' to be used and restarted ldap2.4 services. That is not sufficient, you would at least need: overlay memberof in the affected database. Additionally, note that the overlay only maintains the memberof attribute for *changes* to the member (or attribute specified by memberof-member-ad) attribute, the initial population is up to you (or, you could probably send trivial modifications to all your groupOfNames entries to force the overlay to update the attributes. > On the client I > have configured my ldap.conf without the memberof directive and it works > fine, but when I use memberof I can no longer login. > > nss_base_passwd ou=people,dc=ldn,dc=sw,dc=com > Works fine > > nss_base_passwd > ou=people,dc=ldn,dc=sw,dc=com?sub?memberof-dn=cn=access,ou=auth,dc=ldn,dc= > sw,dc=com Fails to log me in. Firstly, you should be using memberof=DN, not memberof-dn=DN, secondly, does your user have a matching attribute? > I can see the people and auth OU's from the client using ldapsearch. But, do these people have correct memberof attributes? > > Questions: > What is the correct syntax for using the memberof-dn directive? This is probably irrelevant. > If the client does NOT have the openldap2.4-server package installed, does > it pass the 'memberof-dn' directive to my LDAP server to be parsed? Please consult the nss_ldap documentation for nss_base_passwd, but, typically, it should use the value you have supplied as a filter to a search operation. Have you manually verified that the accounts you expect to be matched by your filter do, in fact, match the filter? For example, by using: $ ldapsearch -x -b ou=people,dc=ldn,dc=sw,dc=com "(memberof- dn=cn=access,ou=auth,dc=ldn,dc=sw,dc=com)" Note: I copied from your configuration, if your configuration is wrong, fix it, and re-paste the filter, to make sure you are testing what you have configured .... Regards, Buchan
