<br><br><div class="gmail_quote">2009/5/22 John A. Sullivan III <span dir="ltr"><<a href="mailto:jsullivan@opensourcedevel.com">jsullivan@opensourcedevel.com</a>></span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Ah, I did not do that as I thought the filter would make the change to<br>
users with objectClass inetOrgPerson. </blockquote><div>No. The filter just searches what you have in your directory<br><br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I am virtually certain the users<br>
do not explicitly have inetUser as an object class. Are they supposed<br>
to?</blockquote><div>Yes. The set of the attributes that your entry can hold is defined by the classes listed in "objectClass". And the attribute memberOf is part of the "inetUser" objectClass.<br> </div>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> Is this done by default or is the need to add this object class to<br>
all users in order to use memberOf missing from the documentation (or<br>
overlooked by me!).</blockquote><div>No. It is not done by default, you need to add the "objectClass: inetUser" (or any other objectClass containing the memberOf attribute) to each user entry. You can make a small perl script that does for all your users something like<br>
<br>-------------<br>dn: uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz<div id=":4e8" class="ii gt"><div class="gmail_quote"><div>
changetype: add<br>objectclass: inetUser<br>-------------<br></div></div></div><br>You can test it with the GUI of the console for one or two user entries just to be sure the attribute memberOf works as you wish...<br><br>
</div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
<br>
objectClass: top<br>
objectClass: person<br>
objectClass: organizationalPerson<br>
objectClass: inetOrgPerson<br>
objectClass: posixAccount<br>
objectClass: account<br>
objectClass: posixgroup<br>
objectClass: shadowaccount<br>
</blockquote><div>The origin of your problem is the absence of "objectClass: inetUser" necessary to add memberOf attribute to the entry...<br><br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
Thanks - John<br>
<div><div></div><div class="h5"><br>
On Fri, 2009-05-22 at 08:31 +0200, Andrey Ivanov wrote:<br>
> Can you show me the result of<br>
> /usr/lib64/mozldap/ldapsearch -b<br>
> "ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory<br>
> Manager" -w - -h ldap uid=jasiii objectClass<br>
><br>
> It will list all the objectClasses of your entry. If "objectClass:<br>
> inetUser" is not present in the result of this search you should, as i<br>
> said in the previous message, add this objectClass to all the entries<br>
> you're going to manage with memberOf plug-in, smth like:<br>
><br>
> dn: uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz<br>
> changetype: add<br>
> objectclass: inetUser<br>
><br>
><br>
> Hope it helps .<br>
><br>
><br>
><br>
> 2009/5/22 John A. Sullivan III <<a href="mailto:jsullivan@opensourcedevel.com">jsullivan@opensourcedevel.com</a>><br>
> I'm starting to feel really stupid here - still not working.<br>
><br>
> I thought the filter must be the problem for sure. I assumed<br>
> from the<br>
> documentation that no filter meant the task would add the<br>
> attribute for<br>
> everything that could take a memberOf attribute. I did not<br>
> realize it<br>
> defaulted to inetuser. So I recreated the task with a filter<br>
> of<br>
> (objectClass=inetOrgPerson) but it still did not seem to work.<br>
><br>
> I thought perhaps I was doing ldapmodify wrong (enter the<br>
> parameters,<br>
> double enter, then CTL D) so I edited the fixup-memberof.pl<br>
> script<br>
> according to Rich's instructions. It ran without error (by<br>
> the way, it<br>
> reflects the admin password when using -w - !!!). But still<br>
> no success.<br>
><br>
> Perhaps I am checking incorrectly. I did not expect to see<br>
> memberOf<br>
> listed as an attribute in the advanced console screen for the<br>
> user since<br>
> it is a managed attribute. But I did try to view it with an<br>
> ldapsearch:<br>
> It should be visible as an attribute you can add (provided your entry<br>
> has "objectClass: inetUser")<br>
><br>
><br>
><br>
><br>
> /usr/lib64/mozldap/ldapsearch -b<br>
><br>
> "ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D<br>
> "cn=Directory<br>
> Manager" -w - -h ldap uid=jasiii memberOf<br>
><br>
> Is this how I would check for success?<br>
><br>
> There is nothing suspicious in the error log. I do have the<br>
> audit log<br>
> enabled. I see the creation and automatic deletion of the<br>
> task but I do<br>
> not see any changes to objects to add and populate the<br>
> memberOf<br>
> attribute. I'll paste in some excerpts below.<br>
><br>
> What next? Thanks - John<br>
><br>
> time: 20090520221132<br>
> dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config<br>
> changetype: add<br>
><br>
> objectClass: top<br>
> objectClass: extensibleObject<br>
> cn: fixMemberOf<br>
> basedn: o=Internal,dc=ssiservices,dc=biz<br>
><br>
> creatorsName: cn=xxxx<br>
> modifiersName: cn=xxx<br>
> createTimestamp: 20090521021132Z<br>
> modifyTimestamp: 20090521021132Z<br>
><br>
> time: 20090520221333<br>
> dn: cn=fixmemberof,cn=memberof task,cn=tasks,cn=config<br>
> changetype: delete<br>
> modifiersname: cn=server,cn=plugins,cn=config<br>
><br>
> time: 20090520222242<br>
> dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config<br>
> changetype: add<br>
><br>
> objectClass: top<br>
> objectClass: extensibleObject<br>
> cn: fixMemberOf<br>
> basedn: ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz<br>
> creatorsName: cn=xxxx<br>
> modifiersName: cn=xxxx<br>
> createTimestamp: 20090521022242Z<br>
> modifyTimestamp: 20090521022242Z<br>
><br>
> time: 20090520222442<br>
> dn: cn=fixmemberof,cn=memberof task,cn=tasks,cn=config<br>
> changetype: delete<br>
> modifiersname: cn=server,cn=plugins,cn=config<br>
><br>
> .<br>
> .<br>
> .<br>
> time: 20090521183523<br>
> dn: cn=memberOf_fixup_2009_5_21_18_35_23, cn=memberOf task,<br>
> cn=tasks,<br>
> cn=config<br>
> changetype: add<br>
> objectClass: top<br>
> objectClass: extensibleObject<br>
> cn: memberOf_fixup_2009_5_21_18_35_23<br>
> basedn: o=Internal,dc=ssiservices,dc=biz<br>
><br>
> filter: (objectClass=inetOrgPerson)<br>
> creatorsName: cn=xxxx<br>
> modifiersName: cn=xxxx<br>
> createTimestamp: 20090521223523Z<br>
> modifyTimestamp: 20090521223523Z<br>
><br>
> time: 20090521183724<br>
> dn: cn=memberof_fixup_2009_5_21_18_35_23,cn=memberof<br>
> task,cn=tasks,cn=config<br>
><br>
> changetype: delete<br>
> modifiersname: cn=server,cn=plugins,cn=config<br>
><br>
> time: 20090521185804<br>
> dn:<br>
> cn=general,ou=1.1,ou=console,ou=cn=xxxxx,ou=userpreferences,ou=<a href="http://ssiservices.biz" target="_blank">ssiservices.biz</a>,o=netscaperoot<br>
> changetype: modify<br>
> replace: nsPreference<br>
> nsPreference::<br>
> IwojVGh1IE1heSAyMSAxODo1ODowNSBFRFQgMjAwOQpXaWR0aD0xMjgwClNob3<br>
><br>
> dTdGF0dXNCYXI9dHJ1ZQpTaG93QmFubmVyQmFyPXRydWUKWT0wCkhlaWdodD03NjkKWD0wCg==<br>
> -<br>
> replace: modifiersname<br>
> modifiersname: cn=xxxxx<br>
> -<br>
> replace: modifytimestamp<br>
> modifytimestamp: 20090521225804Z<br>
> -<br>
><br>
><br>
> On Thu, 2009-05-21 at 15:59 +0200, Andrey Ivanov wrote:<br>
> ><br>
> ><br>
> > 2009/5/21 John A. Sullivan III<br>
> <<a href="mailto:jsullivan@opensourcedevel.com">jsullivan@opensourcedevel.com</a>><br>
> > Thank you, Andrey. I did do an updatedb and then<br>
> locate - no<br>
> > fixup-member0f.pl - just<br>
> <a href="http://template.fixup-memberOf.pl" target="_blank">template.fixup-memberOf.pl</a> :-(<br>
> > It is very strange. Normally during the server installation<br>
> the<br>
> > template should be converted to the "normal" perl script.<br>
> ><br>
> > Have you verified the configuration of the memberOf plugin,<br>
> especially<br>
> > the arguments/attributes "memberofgroupattr" and<br>
> "memberofattr" ?<br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> > Unless I'm missing something, you're ldapmodify<br>
> looks just<br>
> > like mine<br>
> > except for the cn (I believe the documentation says<br>
> it can be<br>
> > called<br>
> > anything) and I did not use a filter (again, I<br>
> believe the<br>
> > documentation<br>
> > says it is optional and our dit is still rather<br>
> small).<br>
> > If you do not put the filter into the ldif then the default<br>
> filter is<br>
> > used : "(objectClass=inetuser)". Do all your user entries<br>
> include this<br>
> > objectClass (inetuser)? If not, you should add this<br>
> objectClass to all<br>
> > the entries where you want the memberOf attribute to appear.<br>
> ><br>
> ><br>
> ><br>
> ><br>
> > I did create a new group and add myself to it as you<br>
> suggested<br>
> > (thank<br>
> > you). Surprisingly, it did not appear to work. I<br>
> did not see<br>
> > a<br>
> > memberOf attribute populated for me. I then thought<br>
> I would<br>
> > see if I<br>
> > need to manually add that attribute to each user (I<br>
> hope not!)<br>
> > and I did<br>
> > not see memberOf as an attribute I could add to my<br>
> user<br>
> > object.<br>
> ><br>
> > No. You should not add it manually, the memberOf attribute<br>
> is<br>
> > maintained automatically based on the group membership.<br>
> ><br>
> > Do you see any message in error log? There should be<br>
> something about<br>
> > the impossibility to write the memberof attribute i think.<br>
> > If you cannot add this attribute manually to your entry it<br>
> means that<br>
> > your entry does not containe "objectClass: inetuser". Add<br>
> this<br>
> > objectClass to all the entries that should be "managed" by<br>
> the plug-in<br>
> > to allow the attribute memberOf to be written to that<br>
> entries.<br>
> ><br>
> ><br>
> ><br>
> ><br>
> > I have verified that the plugin is defined in<br>
> dse.ldif and it<br>
> > is<br>
> > enabled. I also see memberOf defined in<br>
> 20subscriber.ldif and<br>
> > did not<br>
> > see anything in the documentation about needing to<br>
> extend the<br>
> > schema.<br>
> > No, you don't need to extend the schema but you need to make<br>
> sure that<br>
> > your entries include the objectClass "inetuser":<br>
> ><br>
> > objectClasses: ( 2.16.840.1.113730.3.2.130 NAME 'inetUser'<br>
> DESC<br>
> > 'Auxiliary class which must be present in an entry for<br>
> delivery of<br>
> > subscriber services' SUP top AUXILIARY MAY ( uid $<br>
> inetUserStatus $<br>
> > inetUserHTTPURL $ userPassword $ memberOf ) X-ORIGIN<br>
> 'Netscape<br>
> > subscriber interoperability' )<br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> > So, at this point, I am still at a loss for what I<br>
> did wrong.<br>
> > What do I<br>
> > check next? Thanks - John<br>
> > Try to add the "objectClass: inetuser" to the entries<br>
> concerned and<br>
> > take a closer look to the "errors" log file.<br>
> ><br>
> > @+<br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> > On Thu, 2009-05-21 at 12:59 +0200, Andrey Ivanov<br>
> wrote:<br>
> > > Hi,<br>
> > ><br>
> > > there are two things to be verified and/or taken<br>
> into<br>
> > account:<br>
> > > * the pair of the attributes that is maintained<br>
> (the<br>
> > arguments<br>
> > > "memberofgroupattr" and "memberofattr" of the<br>
> plug-in)<br>
> > > * presence of these two attributes in the classes<br>
> of your<br>
> > users and<br>
> > > groups<br>
> > ><br>
> > > To find fixup-memberof.pl try "locate<br>
> fixup-memberof.pl".<br>
> > ><br>
> > > To launch it manually you need to add something<br>
> like that<br>
> > to the<br>
> > > server (with ldapmodify) :<br>
> > > dn: cn=memberOf_fixup_2009_5_21_12_39_21,<br>
> cn=memberOf task,<br>
> > cn=tasks,<br>
> > > cn=config<br>
> > > changetype: add<br>
> > > objectclass: top<br>
> > > objectclass: extensibleObject<br>
> > > cn: memberOf_fixup_2009_5_21_12_39_21<br>
> > > basedn: dc=example,dc=com<br>
> > > filter: (objectClass=inetOrgPerson)<br>
> > ><br>
> > ><br>
> > > As for your account, you may remove/add yourself<br>
> from a<br>
> > group to see<br>
> > > if it changes the memberof attribute. Verify the<br>
> objectClass<br>
> > of your<br>
> > > entry and make sure the attribute memberOf is an<br>
> optional<br>
> > attribute of<br>
> > > at least one of these objectClasses...<br>
> > ><br>
> > ><br>
> > ><br>
> > > 2009/5/21 John A. Sullivan III<br>
> > <<a href="mailto:jsullivan@opensourcedevel.com">jsullivan@opensourcedevel.com</a>><br>
> > > Hello, all. We are in the process of<br>
> upgrading from<br>
> > 8.0 to<br>
> > > 8.1. We've<br>
> > > hit a few glitches along the way but most<br>
> has gone<br>
> > well.<br>
> > > However, we<br>
> > > wanted to implement the new memberOf<br>
> functionality.<br>
> > We<br>
> > > successfully<br>
> > > added the plugin by editing dse.ldif and<br>
> enabled it<br>
> > from the<br>
> > > console.<br>
> > > However, we've been unsuccessful in having<br>
> existing<br>
> > group<br>
> > > membership<br>
> > > assigned to the memberOf attribute.<br>
> > ><br>
> > > We first tried to run fixup-memberOf.pl<br>
> but the<br>
> > script does<br>
> > > not exist.<br>
> > > There is a <a href="http://template.fixup-memberOf.pl" target="_blank">template.fixup-memberOf.pl</a> but<br>
> this does<br>
> > not seem<br>
> > > to have<br>
> > > been built into a final script.<br>
> > ><br>
> > > We then thought we would use the new task<br>
> feature of<br>
> > the<br>
> > > console. We<br>
> > > went to cn=memberof<br>
> task,cn=tasks,cn=config and<br>
> > tried to<br>
> > > create the task<br>
> > > object. There was no<br>
> nsDirectoryServerTask<br>
> > objectclass. We<br>
> > > added an<br>
> > > nstask but then found there was no basedn<br>
> attribute<br>
> > we could<br>
> > > add. We<br>
> > > then created an extensibleobject instead<br>
> but still<br>
> > not basedn<br>
> > > attribute.<br>
> > ><br>
> > > Finally, we resorted to ldapmodify (we<br>
> hesitated<br>
> > just because<br>
> > > we are not<br>
> > > very familiar with the command line<br>
> tools). First,<br>
> > we did:<br>
> > ><br>
> > > dn: cn=fixMemberOf,cn=memberof<br>
> > task,cn=tasks,cn=config<br>
> > > changetype: add<br>
> > > objectclass: top<br>
> > > objectclass: extensibleObject<br>
> > > cn: fixMemberOf<br>
> > > basedn: o=Internal,dc=ssiservices,dc=biz<br>
> > ><br>
> > > The Internal Organization has several<br>
> organizations<br>
> > under it<br>
> > > (for<br>
> > > various clients) and then user<br>
> organizational units<br>
> > under<br>
> > > those<br>
> > > organizations. Although it generated no<br>
> errors, it<br>
> > did not<br>
> > > seem to<br>
> > > work. Perhaps I just don't know how to<br>
> test it.<br>
> > However, the<br>
> > > following<br>
> > > did not return an memberOf data:<br>
> > ><br>
> > > /usr/lib64/mozldap/ldapsearch -b<br>
> > ><br>
> ><br>
> "ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D<br>
> > > "cn=Directory<br>
> > > Manager" -w - -h ldap uid=myid memberOf<br>
> > ><br>
> > > Doing /usr/lib64/mozldap/ldapsearch -b<br>
> > ><br>
> ><br>
> "ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D<br>
> > > "cn=Directory<br>
> > > Manager" -w - -h ldap uid=myid<br>
> > > showed me plenty of attributes but nothing<br>
> for<br>
> > memberOf<br>
> > ><br>
> > > I also tried creating the task with a<br>
> basedn of<br>
> > ><br>
> ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz<br>
> > in case it<br>
> > > did not<br>
> > > change objects lower in the tree. Still<br>
> no success.<br>
> > ><br>
> > > Finally I tried:<br>
> > ><br>
> > > dn: cn=fixMemberOf,cn=memberof<br>
> > task,cn=tasks,cn=config<br>
> > > changetype: add<br>
> > > objectclass: top<br>
> > > objectclass: nsDirectoryServerTask<br>
> > > cn: fixMemberOf<br>
> > > basedn: o=Internal,dc=ssiservices,dc=biz<br>
> > ><br>
> > > adding new entry<br>
> cn=fixMemberOf,cn=memberof<br>
> > > task,cn=tasks,cn=config<br>
> > > ldap_add: Object class violation<br>
> > > ldap_add: additional info: unknown object<br>
> class<br>
> > > "nsDirectoryServerTask"<br>
> > ><br>
> > > And received the expected unknown object<br>
> class<br>
> > error.<br>
> > ><br>
> > > What are we doing wrong? Are these<br>
> documentation<br>
> > bugs? Are<br>
> > > there<br>
> > > application bugs or do we simply not know<br>
> what we<br>
> > are doing<br>
> > > with tasks<br>
> > > and memberOf? How do we get the memberOf<br>
> information<br>
> > into our<br>
> > > existing<br>
> > > user objects? Thanks - John<br>
> > ><br>
> > ><br>
> > > --<br>
> > > John A. Sullivan III<br>
> > > Open Source Development Corporation<br>
> > > +1 207-985-7880<br>
> > > <a href="mailto:jsullivan@opensourcedevel.com">jsullivan@opensourcedevel.com</a><br>
> > ><br>
> > > <a href="http://www.spiritualoutreach.com" target="_blank">http://www.spiritualoutreach.com</a><br>
> > > Making Christianity intelligible to<br>
> secular society<br>
> > ><br>
> > > --<br>
> > > Fedora-directory-users mailing list<br>
> > > <a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a><br>
> > ><br>
> ><br>
> <a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users" target="_blank">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><br>
> > ><br>
> > > --<br>
> > > Fedora-directory-users mailing list<br>
> > > <a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a><br>
> > ><br>
> ><br>
> <a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users" target="_blank">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><br>
> ><br>
> > --<br>
> ><br>
> > John A. Sullivan III<br>
> > Open Source Development Corporation<br>
> > +1 207-985-7880<br>
> > <a href="mailto:jsullivan@opensourcedevel.com">jsullivan@opensourcedevel.com</a><br>
> ><br>
> > <a href="http://www.spiritualoutreach.com" target="_blank">http://www.spiritualoutreach.com</a><br>
> > Making Christianity intelligible to secular society<br>
> ><br>
> > --<br>
> > Fedora-directory-users mailing list<br>
> > <a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a><br>
> ><br>
> <a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users" target="_blank">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><br>
> ><br>
> ><br>
> > --<br>
> > Fedora-directory-users mailing list<br>
> > <a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a><br>
> ><br>
> <a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users" target="_blank">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><br>
> --<br>
> John A. Sullivan III<br>
> Open Source Development Corporation<br>
> +1 207-985-7880<br>
> <a href="mailto:jsullivan@opensourcedevel.com">jsullivan@opensourcedevel.com</a><br>
><br>
> <a href="http://www.spiritualoutreach.com" target="_blank">http://www.spiritualoutreach.com</a><br>
> Making Christianity intelligible to secular society<br>
><br>
> --<br>
> Fedora-directory-users mailing list<br>
> <a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a><br>
> <a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users" target="_blank">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><br>
><br>
><br>
> --<br>
> Fedora-directory-users mailing list<br>
> <a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a><br>
> <a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users" target="_blank">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><br>
--<br>
John A. Sullivan III<br>
Open Source Development Corporation<br>
+1 207-985-7880<br>
<a href="mailto:jsullivan@opensourcedevel.com">jsullivan@opensourcedevel.com</a><br>
<br>
<a href="http://www.spiritualoutreach.com" target="_blank">http://www.spiritualoutreach.com</a><br>
Making Christianity intelligible to secular society<br>
<br>
--<br>
Fedora-directory-users mailing list<br>
<a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users" target="_blank">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><br>
</div></div></blockquote></div><br>