Can you show me the result of <br>/usr/lib64/mozldap/ldapsearch -b
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory Manager" -w - -h ldap uid=jasiii objectClass<br><br>It will list all the objectClasses of your entry. If "objectClass: inetUser" is not present in the result of this search you should, as i said in the previous message, add this objectClass to all the entries you're going to manage with memberOf plug-in, smth like:<br>
<br>dn: uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz<div class="gmail_quote"><div class="im">
changetype: add<br>objectclass: inetUser<br></div></div><br>Hope it helps .<br><br><br><br><div class="gmail_quote">2009/5/22 John A. Sullivan III <span dir="ltr"><<a href="mailto:jsullivan@opensourcedevel.com">jsullivan@opensourcedevel.com</a>></span><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">I'm starting to feel really stupid here - still not working.<br>
<br>
I thought the filter must be the problem for sure. I assumed from the<br>
documentation that no filter meant the task would add the attribute for<br>
everything that could take a memberOf attribute. I did not realize it<br>
defaulted to inetuser. So I recreated the task with a filter of<br>
(objectClass=inetOrgPerson) but it still did not seem to work.<br>
<br>
I thought perhaps I was doing ldapmodify wrong (enter the parameters,<br>
double enter, then CTL D) so I edited the fixup-memberof.pl script<br>
according to Rich's instructions. It ran without error (by the way, it<br>
reflects the admin password when using -w - !!!). But still no success.<br>
<br>
Perhaps I am checking incorrectly. I did not expect to see memberOf<br>
listed as an attribute in the advanced console screen for the user since<br>
it is a managed attribute. But I did try to view it with an ldapsearch:</blockquote><div>It should be visible as an attribute you can add (provided your entry has "objectClass: inetUser")<br><br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
<div class="im"><br>
/usr/lib64/mozldap/ldapsearch -b<br>
</div>"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory<br>
Manager" -w - -h ldap uid=jasiii memberOf<br>
<br>
Is this how I would check for success?<br>
<br>
There is nothing suspicious in the error log. I do have the audit log<br>
enabled. I see the creation and automatic deletion of the task but I do<br>
not see any changes to objects to add and populate the memberOf<br>
attribute. I'll paste in some excerpts below.<br>
<br>
What next? Thanks - John<br>
<br>
time: 20090520221132<br>
<div class="im">dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config<br>
changetype: add<br>
</div>objectClass: top<br>
objectClass: extensibleObject<br>
<div class="im">cn: fixMemberOf<br>
basedn: o=Internal,dc=ssiservices,dc=biz<br>
</div>creatorsName: cn=xxxx<br>
modifiersName: cn=xxx<br>
createTimestamp: 20090521021132Z<br>
modifyTimestamp: 20090521021132Z<br>
<br>
time: 20090520221333<br>
dn: cn=fixmemberof,cn=memberof task,cn=tasks,cn=config<br>
changetype: delete<br>
modifiersname: cn=server,cn=plugins,cn=config<br>
<br>
time: 20090520222242<br>
<div class="im">dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config<br>
changetype: add<br>
</div>objectClass: top<br>
objectClass: extensibleObject<br>
cn: fixMemberOf<br>
basedn: ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz<br>
creatorsName: cn=xxxx<br>
modifiersName: cn=xxxx<br>
createTimestamp: 20090521022242Z<br>
modifyTimestamp: 20090521022242Z<br>
<br>
time: 20090520222442<br>
dn: cn=fixmemberof,cn=memberof task,cn=tasks,cn=config<br>
changetype: delete<br>
modifiersname: cn=server,cn=plugins,cn=config<br>
<br>
.<br>
.<br>
.<br>
time: 20090521183523<br>
dn: cn=memberOf_fixup_2009_5_21_18_35_23, cn=memberOf task, cn=tasks,<br>
cn=config<br>
changetype: add<br>
objectClass: top<br>
objectClass: extensibleObject<br>
cn: memberOf_fixup_2009_5_21_18_35_23<br>
<div class="im">basedn: o=Internal,dc=ssiservices,dc=biz<br>
</div>filter: (objectClass=inetOrgPerson)<br>
creatorsName: cn=xxxx<br>
modifiersName: cn=xxxx<br>
createTimestamp: 20090521223523Z<br>
modifyTimestamp: 20090521223523Z<br>
<br>
time: 20090521183724<br>
dn: cn=memberof_fixup_2009_5_21_18_35_23,cn=memberof<br>
<div class="im">task,cn=tasks,cn=config<br>
</div>changetype: delete<br>
modifiersname: cn=server,cn=plugins,cn=config<br>
<br>
time: 20090521185804<br>
dn:<br>
cn=general,ou=1.1,ou=console,ou=cn=xxxxx,ou=userpreferences,ou=<a href="http://ssiservices.biz" target="_blank">ssiservices.biz</a>,o=netscaperoot<br>
changetype: modify<br>
replace: nsPreference<br>
nsPreference::<br>
IwojVGh1IE1heSAyMSAxODo1ODowNSBFRFQgMjAwOQpXaWR0aD0xMjgwClNob3<br>
<br>
dTdGF0dXNCYXI9dHJ1ZQpTaG93QmFubmVyQmFyPXRydWUKWT0wCkhlaWdodD03NjkKWD0wCg==<br>
-<br>
replace: modifiersname<br>
modifiersname: cn=xxxxx<br>
-<br>
replace: modifytimestamp<br>
modifytimestamp: 20090521225804Z<br>
-<br>
<div><div></div><div class="h5"><br>
On Thu, 2009-05-21 at 15:59 +0200, Andrey Ivanov wrote:<br>
><br>
><br>
> 2009/5/21 John A. Sullivan III <<a href="mailto:jsullivan@opensourcedevel.com">jsullivan@opensourcedevel.com</a>><br>
> Thank you, Andrey. I did do an updatedb and then locate - no<br>
> fixup-member0f.pl - just <a href="http://template.fixup-memberOf.pl" target="_blank">template.fixup-memberOf.pl</a> :-(<br>
> It is very strange. Normally during the server installation the<br>
> template should be converted to the "normal" perl script.<br>
><br>
> Have you verified the configuration of the memberOf plugin, especially<br>
> the arguments/attributes "memberofgroupattr" and "memberofattr" ?<br>
><br>
><br>
><br>
><br>
><br>
><br>
> Unless I'm missing something, you're ldapmodify looks just<br>
> like mine<br>
> except for the cn (I believe the documentation says it can be<br>
> called<br>
> anything) and I did not use a filter (again, I believe the<br>
> documentation<br>
> says it is optional and our dit is still rather small).<br>
> If you do not put the filter into the ldif then the default filter is<br>
> used : "(objectClass=inetuser)". Do all your user entries include this<br>
> objectClass (inetuser)? If not, you should add this objectClass to all<br>
> the entries where you want the memberOf attribute to appear.<br>
><br>
><br>
><br>
><br>
> I did create a new group and add myself to it as you suggested<br>
> (thank<br>
> you). Surprisingly, it did not appear to work. I did not see<br>
> a<br>
> memberOf attribute populated for me. I then thought I would<br>
> see if I<br>
> need to manually add that attribute to each user (I hope not!)<br>
> and I did<br>
> not see memberOf as an attribute I could add to my user<br>
> object.<br>
><br>
> No. You should not add it manually, the memberOf attribute is<br>
> maintained automatically based on the group membership.<br>
><br>
> Do you see any message in error log? There should be something about<br>
> the impossibility to write the memberof attribute i think.<br>
> If you cannot add this attribute manually to your entry it means that<br>
> your entry does not containe "objectClass: inetuser". Add this<br>
> objectClass to all the entries that should be "managed" by the plug-in<br>
> to allow the attribute memberOf to be written to that entries.<br>
><br>
><br>
><br>
><br>
> I have verified that the plugin is defined in dse.ldif and it<br>
> is<br>
> enabled. I also see memberOf defined in 20subscriber.ldif and<br>
> did not<br>
> see anything in the documentation about needing to extend the<br>
> schema.<br>
> No, you don't need to extend the schema but you need to make sure that<br>
> your entries include the objectClass "inetuser":<br>
><br>
> objectClasses: ( 2.16.840.1.113730.3.2.130 NAME 'inetUser' DESC<br>
> 'Auxiliary class which must be present in an entry for delivery of<br>
> subscriber services' SUP top AUXILIARY MAY ( uid $ inetUserStatus $<br>
> inetUserHTTPURL $ userPassword $ memberOf ) X-ORIGIN 'Netscape<br>
> subscriber interoperability' )<br>
><br>
><br>
><br>
><br>
><br>
> So, at this point, I am still at a loss for what I did wrong.<br>
> What do I<br>
> check next? Thanks - John<br>
> Try to add the "objectClass: inetuser" to the entries concerned and<br>
> take a closer look to the "errors" log file.<br>
><br>
> @+<br>
><br>
><br>
><br>
><br>
><br>
> On Thu, 2009-05-21 at 12:59 +0200, Andrey Ivanov wrote:<br>
> > Hi,<br>
> ><br>
> > there are two things to be verified and/or taken into<br>
> account:<br>
> > * the pair of the attributes that is maintained (the<br>
> arguments<br>
> > "memberofgroupattr" and "memberofattr" of the plug-in)<br>
> > * presence of these two attributes in the classes of your<br>
> users and<br>
> > groups<br>
> ><br>
> > To find fixup-memberof.pl try "locate fixup-memberof.pl".<br>
> ><br>
> > To launch it manually you need to add something like that<br>
> to the<br>
> > server (with ldapmodify) :<br>
> > dn: cn=memberOf_fixup_2009_5_21_12_39_21, cn=memberOf task,<br>
> cn=tasks,<br>
> > cn=config<br>
> > changetype: add<br>
> > objectclass: top<br>
> > objectclass: extensibleObject<br>
> > cn: memberOf_fixup_2009_5_21_12_39_21<br>
> > basedn: dc=example,dc=com<br>
> > filter: (objectClass=inetOrgPerson)<br>
> ><br>
> ><br>
> > As for your account, you may remove/add yourself from a<br>
> group to see<br>
> > if it changes the memberof attribute. Verify the objectClass<br>
> of your<br>
> > entry and make sure the attribute memberOf is an optional<br>
> attribute of<br>
> > at least one of these objectClasses...<br>
> ><br>
> ><br>
> ><br>
> > 2009/5/21 John A. Sullivan III<br>
> <<a href="mailto:jsullivan@opensourcedevel.com">jsullivan@opensourcedevel.com</a>><br>
> > Hello, all. We are in the process of upgrading from<br>
> 8.0 to<br>
> > 8.1. We've<br>
> > hit a few glitches along the way but most has gone<br>
> well.<br>
> > However, we<br>
> > wanted to implement the new memberOf functionality.<br>
> We<br>
> > successfully<br>
> > added the plugin by editing dse.ldif and enabled it<br>
> from the<br>
> > console.<br>
> > However, we've been unsuccessful in having existing<br>
> group<br>
> > membership<br>
> > assigned to the memberOf attribute.<br>
> ><br>
> > We first tried to run fixup-memberOf.pl but the<br>
> script does<br>
> > not exist.<br>
> > There is a <a href="http://template.fixup-memberOf.pl" target="_blank">template.fixup-memberOf.pl</a> but this does<br>
> not seem<br>
> > to have<br>
> > been built into a final script.<br>
> ><br>
> > We then thought we would use the new task feature of<br>
> the<br>
> > console. We<br>
> > went to cn=memberof task,cn=tasks,cn=config and<br>
> tried to<br>
> > create the task<br>
> > object. There was no nsDirectoryServerTask<br>
> objectclass. We<br>
> > added an<br>
> > nstask but then found there was no basedn attribute<br>
> we could<br>
> > add. We<br>
> > then created an extensibleobject instead but still<br>
> not basedn<br>
> > attribute.<br>
> ><br>
> > Finally, we resorted to ldapmodify (we hesitated<br>
> just because<br>
> > we are not<br>
> > very familiar with the command line tools). First,<br>
> we did:<br>
> ><br>
> > dn: cn=fixMemberOf,cn=memberof<br>
> task,cn=tasks,cn=config<br>
> > changetype: add<br>
> > objectclass: top<br>
> > objectclass: extensibleObject<br>
> > cn: fixMemberOf<br>
> > basedn: o=Internal,dc=ssiservices,dc=biz<br>
> ><br>
> > The Internal Organization has several organizations<br>
> under it<br>
> > (for<br>
> > various clients) and then user organizational units<br>
> under<br>
> > those<br>
> > organizations. Although it generated no errors, it<br>
> did not<br>
> > seem to<br>
> > work. Perhaps I just don't know how to test it.<br>
> However, the<br>
> > following<br>
> > did not return an memberOf data:<br>
> ><br>
> > /usr/lib64/mozldap/ldapsearch -b<br>
> ><br>
> "ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D<br>
> > "cn=Directory<br>
> > Manager" -w - -h ldap uid=myid memberOf<br>
> ><br>
> > Doing /usr/lib64/mozldap/ldapsearch -b<br>
> ><br>
> "ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D<br>
> > "cn=Directory<br>
> > Manager" -w - -h ldap uid=myid<br>
> > showed me plenty of attributes but nothing for<br>
> memberOf<br>
> ><br>
> > I also tried creating the task with a basedn of<br>
> > ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz<br>
> in case it<br>
> > did not<br>
> > change objects lower in the tree. Still no success.<br>
> ><br>
> > Finally I tried:<br>
> ><br>
> > dn: cn=fixMemberOf,cn=memberof<br>
> task,cn=tasks,cn=config<br>
> > changetype: add<br>
> > objectclass: top<br>
> > objectclass: nsDirectoryServerTask<br>
> > cn: fixMemberOf<br>
> > basedn: o=Internal,dc=ssiservices,dc=biz<br>
> ><br>
> > adding new entry cn=fixMemberOf,cn=memberof<br>
> > task,cn=tasks,cn=config<br>
> > ldap_add: Object class violation<br>
> > ldap_add: additional info: unknown object class<br>
> > "nsDirectoryServerTask"<br>
> ><br>
> > And received the expected unknown object class<br>
> error.<br>
> ><br>
> > What are we doing wrong? Are these documentation<br>
> bugs? Are<br>
> > there<br>
> > application bugs or do we simply not know what we<br>
> are doing<br>
> > with tasks<br>
> > and memberOf? How do we get the memberOf information<br>
> into our<br>
> > existing<br>
> > user objects? Thanks - John<br>
> ><br>
> ><br>
> > --<br>
> > John A. Sullivan III<br>
> > Open Source Development Corporation<br>
> > +1 207-985-7880<br>
> > <a href="mailto:jsullivan@opensourcedevel.com">jsullivan@opensourcedevel.com</a><br>
> ><br>
> > <a href="http://www.spiritualoutreach.com" target="_blank">http://www.spiritualoutreach.com</a><br>
> > Making Christianity intelligible to secular society<br>
> ><br>
> > --<br>
> > Fedora-directory-users mailing list<br>
> > <a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a><br>
> ><br>
> <a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users" target="_blank">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><br>
> ><br>
> > --<br>
> > Fedora-directory-users mailing list<br>
> > <a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a><br>
> ><br>
> <a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users" target="_blank">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><br>
><br>
> --<br>
><br>
> John A. Sullivan III<br>
> Open Source Development Corporation<br>
> +1 207-985-7880<br>
> <a href="mailto:jsullivan@opensourcedevel.com">jsullivan@opensourcedevel.com</a><br>
><br>
> <a href="http://www.spiritualoutreach.com" target="_blank">http://www.spiritualoutreach.com</a><br>
> Making Christianity intelligible to secular society<br>
><br>
> --<br>
> Fedora-directory-users mailing list<br>
> <a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a><br>
> <a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users" target="_blank">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><br>
><br>
><br>
> --<br>
> Fedora-directory-users mailing list<br>
> <a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a><br>
> <a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users" target="_blank">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><br>
--<br>
John A. Sullivan III<br>
Open Source Development Corporation<br>
+1 207-985-7880<br>
<a href="mailto:jsullivan@opensourcedevel.com">jsullivan@opensourcedevel.com</a><br>
<br>
<a href="http://www.spiritualoutreach.com" target="_blank">http://www.spiritualoutreach.com</a><br>
Making Christianity intelligible to secular society<br>
<br>
--<br>
Fedora-directory-users mailing list<br>
<a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users" target="_blank">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><br>
</div></div></blockquote></div><br>