<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Hello everybody and thanks for all the help.<br>
<br>
For the record, we have Centos Directory Server 8.1.0.<br>
<br>
I've enabled memberof using the three steps listed below.<br>
<br>
If it's of any help (for step #2):<br>
<tt><br>
</tt>
<blockquote><tt>./ldapmodify -P "$DIR/scripts/cert8.db" -c -h
${DEST_HOST} -p ${DEST_PORT} -D "${DEST_BIND}" -w $DESTDN_PASSWORD
<<EOF</tt><br>
<tt>dn: uid=${TGI},ou=People,${DEST_SUFFIX}</tt><br>
<tt>changetype: modify</tt><br>
<tt>add: objectClass</tt><br>
<tt>objectClass: inetuser</tt><br>
<br>
<tt>EOF</tt><br>
</blockquote>
I made the following change to template-fixup-memberof.pl:<br>
<blockquote>
<blockquote><tt># Following line changed by
<a class="moz-txt-link-abbreviated" href="mailto:david.donnan@thalesgroup.com">david.donnan@thalesgroup.com</a></tt><br>
<tt># open(FOO, "| ldapmodify $vstr -h {{SERVER-NAME}} -p
{{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );</tt><br>
<tt> open(FOO, "| ldapmodify $vstr -h localhost -p {{SERVER-PORT}}
-D \"$rootdn\" -w \"$passwd\" -a" );</tt><br>
</blockquote>
</blockquote>
I've performed a test whereby I've just deleted someone and then added
them again with additional groups. LDAP however did not update.<br>
It updated, however, when I ran template-fixup-memberof.pl.<br>
<br>
Question 1: Have I understood that I should put
template-fixup-memberof.pl into a crontab. Are there performance
concerns ?<br>
<br>
Thanks again, Dave<br>
---------<br>
<br>
Nathan Kinder wrote
<blockquote cite="mid:4A1C23CC.206@redhat.com" type="cite">John A.
Sullivan III wrote:
<br>
<blockquote type="cite">Very interesting. The shipping dse.ldif
which the instructions say to
<br>
use as a template to edit the 8.0 dse.ldif has memberofgroupattr:
member
<br>
<br>
dn: cn=MemberOf Plugin,cn=plugins,cn=config
<br>
objectClass: top
<br>
objectClass: nsSlapdPlugin
<br>
objectClass: extensibleObject
<br>
cn: MemberOf Plugin
<br>
nsslapd-pluginpath: libmemberof-plugin
<br>
nsslapd-plugininitfunc: memberof_postop_init
<br>
nsslapd-plugintype: postoperation
<br>
nsslapd-pluginenabled: off
<br>
nsslapd-plugin-depends-on-type: database
<br>
memberOfGroupAttr: member
<br>
memberOfAttr: memberOf
<br>
<br>
When I changed it to uniqueMember, it worked!
<br>
<br>
So it looks like there are several issues/errors/bugs in the
<br>
instructions and procedures for upgrading from 8.0 to 8.1
<br>
<br>
1. The memberOf plugin is enabled by default and needs to be
<br>
manually enabled (not really a bug but it is mentioned nowhere
<br>
in the docs that I saw)
<br>
2. One must manually add the inetuser to each object with which
one
<br>
wishes to use the plugin. This does not appear to be a default
<br>
objectClass for user creation - at least in 8.0
<br>
</blockquote>
It all depends on how you provision your users, and what attributes you
are using (they don't have to be "member" and
<br>
"memberOf"). It is up to the administrator to use the proper
objectclass that allows the attribute defined as the "memberOfAttr"
<br>
config value in the member entries.
<br>
<blockquote type="cite"> 3. One must change the default
memberofgroupattr from member to
<br>
uniqueMember
<br>
</blockquote>
This is going to depend on the attribute you use to define grouping.
Some use the "groupOfNames" objectclass for a group
<br>
entry, which uses the "member" attribute to define members. It appears
that you are using "groupOfUniqueNames", which
<br>
uses "uniqueMember". The memberOf plug-in allows you to use whatever
attributes you want for both the grouping attribute
<br>
as well as the membership attribute. In fact, the plug-in could be
used for things completely unrelated to membership.
<br>
<blockquote type="cite"> 4. The fixup-memberof.pl script is not
generated from the template.
<br>
</blockquote>
Yes, this appears to be a bug related to in-place upgrades. Please
file a bug on this.
<br>
<blockquote type="cite">Thanks very much for your help - John
<br>
<br>
On Tue, 2009-05-26 at 09:38 +0200, Andrey Ivanov wrote:
<br>
<blockquote type="cite">If it still doesn't work, it's a matter of
the plug-in configuration
<br>
and presence. Verify your dse.ldif. You shoud have something like
<br>
<br>
dn: cn=MemberOf Plugin,cn=plugins,cn=config
<br>
objectClass: top
<br>
objectClass: nsSlapdPlugin
<br>
objectClass: extensibleObject
<br>
cn: MemberOf Plugin
<br>
nsslapd-pluginPath: libmemberof-plugin
<br>
nsslapd-pluginInitfunc: memberof_postop_init
<br>
nsslapd-pluginType: postoperation
<br>
nsslapd-pluginEnabled: on
<br>
nsslapd-plugin-depends-on-type: database
<br>
memberofgroupattr: uniqueMember
<br>
memberofattr: memberOf
<br>
nsslapd-pluginId: memberof
<br>
nsslapd-pluginVersion: 1.2.0
<br>
nsslapd-pluginVendor: Fedora Project
<br>
nsslapd-pluginDescription: memberof plugin
<br>
<br>
<br>
The importnant parameters are :
<br>
nsslapd-pluginEnabled: on
<br>
memberofgroupattr: uniqueMember
<br>
memberofattr: memberOf
<br>
<br>
Other than that you may have the plug-in binaries missing...
<br>
<br>
2009/5/25 John A. Sullivan III <a class="moz-txt-link-rfc2396E" href="mailto:jsullivan@opensourcedevel.com"><jsullivan@opensourcedevel.com></a>
<br>
Hmm . . . this made perfect sense and I thought it would be
<br>
the end of
<br>
my problems for sure. However, I added inetUser, ran
<br>
fixup_memberof.pl
<br>
and still see no memberOf populated attribute even if I ask
<br>
for it
<br>
explicitly:
<br>
[root@ldap01 ~]# /usr/lib64/mozldap/ldapsearch -b
<br>
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D
<br>
"cn=Directory Manager" -w - -h ldap01 uid=jasiii
<br>
Enter bind password:
<br>
version: 1
<br>
dn:
<br>
uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
<br>
objectClass: top
<br>
objectClass: person
<br>
objectClass: organizationalPerson
<br>
objectClass: inetOrgPerson
<br>
objectClass: posixAccount
<br>
objectClass: account
<br>
objectClass: posixgroup
<br>
objectClass: shadowaccount
<br>
objectClass: inetuser
<br>
physicalDeliveryOfficeName: Kennebunk
<br>
telephoneNumber: +1 (207) xxx-xxxx
<br>
mail: <a class="moz-txt-link-abbreviated" href="mailto:jsullivan@example.com">jsullivan@example.com</a>
<br>
sn: Sullivan III
<br>
givenName: John A.
<br>
loginShell: /bin/bash
<br>
homeDirectory: /home/jasiii
<br>
gidNumber: 100001
<br>
uidNumber: 100001
<br>
cn: jasiii
<br>
uid: jasiii
<br>
userPassword: {SSHA}p5K8zhxQYqkjCXmu617H2DtnDKDgnom3qTgQAg==
<br>
shadowLastChange: 14366
<br>
l: Kennebunk
<br>
postalCode: 04043-XXXX
<br>
postOfficeBox: PO Box XXX
<br>
st: ME
<br>
[root@ldap01 ~]# /usr/lib64/mozldap/ldapsearch -b
<br>
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D
<br>
"cn=Directory Manager" -w - -h ldap01 uid=jasiii memberOf
<br>
Enter bind password:
<br>
version: 1
<br>
dn:
<br>
uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
<br>
I then explicitly added the memberOf attribute
to a user,
<br>
created a
<br>
bogus group and added the user to the group. Still no
<br>
memberOf. What
<br>
am I doing wrong? Thanks - John
<br>
On Fri, 2009-05-22 at 22:59 +0200,
Andrey Ivanov wrote:
<br>
>
<br>
>
<br>
> 2009/5/22 John A. Sullivan III
<br>
<a class="moz-txt-link-rfc2396E" href="mailto:jsullivan@opensourcedevel.com"><jsullivan@opensourcedevel.com></a>
<br>
> Ah, I did not do that as I thought the filter
would
<br>
make the
<br>
> change to
<br>
> users with objectClass inetOrgPerson.
<br>
> No. The filter just searches what you have in your
directory
<br>
>
<br>
>
<br>
> I am virtually certain the users
<br>
> do not explicitly have inetUser as an object
class.
<br>
Are they
<br>
> supposed
<br>
> to?
<br>
> Yes. The set of the attributes that your entry can hold is
<br>
defined by
<br>
> the classes listed in "objectClass". And the attribute
<br>
memberOf is
<br>
> part of the "inetUser" objectClass.
<br>
>
<br>
> Is this done by default or is the need to add this
<br>
object
<br>
> class to
<br>
> all users in order to use memberOf missing from
the
<br>
> documentation (or
<br>
> overlooked by me!).
<br>
> No. It is not done by default, you need to add the
<br>
"objectClass:
<br>
> inetUser" (or any other objectClass containing the
memberOf
<br>
attribute)
<br>
> to each user entry. You can make a small perl script that
<br>
does for all
<br>
> your users something like
<br>
>
<br>
> -------------
<br>
> dn:
<br>
uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
<br>
> changetype: add
<br>
> objectclass: inetUser
<br>
> -------------
<br>
>
<br>
>
<br>
> You can test it with the GUI of the console for one or two
<br>
user
<br>
> entries just to be sure the attribute memberOf works as
you
<br>
wish...
<br>
>
<br>
>
<br>
>
<br>
>
<br>
> objectClass: top
<br>
> objectClass: person
<br>
> objectClass: organizationalPerson
<br>
> objectClass: inetOrgPerson
<br>
> objectClass: posixAccount
<br>
> objectClass: account
<br>
> objectClass: posixgroup
<br>
> objectClass: shadowaccount
<br>
> The origin of your problem is the absence of "objectClass:
<br>
inetUser"
<br>
> necessary to add memberOf attribute to the entry...
<br>
>
<br>
>
<br>
>
<br>
> Thanks - John
<br>
>
<br>
>
<br>
> On Fri, 2009-05-22 at 08:31 +0200, Andrey Ivanov
<br>
wrote:
<br>
> > Can you show me the result of
<br>
> > /usr/lib64/mozldap/ldapsearch -b
<br>
> >
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz"
<br>
-D
<br>
> "cn=Directory
<br>
> > Manager" -w - -h ldap uid=jasiii objectClass
<br>
> >
<br>
> > It will list all the objectClasses of your
entry.
<br>
If
<br>
> "objectClass:
<br>
> > inetUser" is not present in the result of
this
<br>
search you
<br>
> should, as i
<br>
> > said in the previous message, add this
objectClass
<br>
to all
<br>
> the entries
<br>
> > you're going to manage with memberOf plug-in,
smth
<br>
like:
<br>
> >
<br>
> > dn:
<br>
>
<br>
uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
<br>
> > changetype: add
<br>
> > objectclass: inetUser
<br>
> >
<br>
> >
<br>
> > Hope it helps .
<br>
> >
<br>
> >
<br>
> >
<br>
> > 2009/5/22 John A. Sullivan III
<br>
> <a class="moz-txt-link-rfc2396E" href="mailto:jsullivan@opensourcedevel.com"><jsullivan@opensourcedevel.com></a>
<br>
> > I'm starting to feel really stupid
here -
<br>
still not
<br>
> working.
<br>
> >
<br>
> > I thought the filter must be the
problem
<br>
for sure.
<br>
> I assumed
<br>
> > from the
<br>
> > documentation that no filter meant
the
<br>
task would
<br>
> add the
<br>
> > attribute for
<br>
> > everything that could take a memberOf
<br>
attribute. I
<br>
> did not
<br>
> > realize it
<br>
> > defaulted to inetuser. So I
recreated the
<br>
task with
<br>
> a filter
<br>
> > of
<br>
> > (objectClass=inetOrgPerson) but it
still
<br>
did not
<br>
> seem to work.
<br>
> >
<br>
> > I thought perhaps I was doing
ldapmodify
<br>
wrong
<br>
> (enter the
<br>
> > parameters,
<br>
> > double enter, then CTL D) so I edited
the
<br>
> fixup-memberof.pl
<br>
> > script
<br>
> > according to Rich's instructions. It
ran
<br>
without
<br>
> error (by
<br>
> > the way, it
<br>
> > reflects the admin password when
using -w
<br>
- !!!).
<br>
> But still
<br>
> > no success.
<br>
> >
<br>
> > Perhaps I am checking incorrectly. I
did
<br>
not expect
<br>
> to see
<br>
> > memberOf
<br>
> > listed as an attribute in the
advanced
<br>
console
<br>
> screen for the
<br>
> > user since
<br>
> > it is a managed attribute. But I did
try
<br>
to view it
<br>
> with an
<br>
> > ldapsearch:
<br>
> > It should be visible as an attribute you can
add
<br>
(provided
<br>
> your entry
<br>
> > has "objectClass: inetUser")
<br>
> >
<br>
> >
<br>
> >
<br>
> >
<br>
> > /usr/lib64/mozldap/ldapsearch -b
<br>
> >
<br>
> >
<br>
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz"
<br>
> -D
<br>
> > "cn=Directory
<br>
> > Manager" -w - -h ldap uid=jasiii
memberOf
<br>
> >
<br>
> > Is this how I would check for
success?
<br>
> >
<br>
> > There is nothing suspicious in the
error
<br>
log. I do
<br>
> have the
<br>
> > audit log
<br>
> > enabled. I see the creation and
automatic
<br>
deletion
<br>
> of the
<br>
> > task but I do
<br>
> > not see any changes to objects to add
and
<br>
populate
<br>
> the
<br>
> > memberOf
<br>
> > attribute. I'll paste in some
excerpts
<br>
below.
<br>
> >
<br>
> > What next? Thanks - John
<br>
> >
<br>
> > time: 20090520221132
<br>
> > dn: cn=fixMemberOf,cn=memberof
<br>
> task,cn=tasks,cn=config
<br>
> > changetype: add
<br>
> >
<br>
> > objectClass: top
<br>
> > objectClass: extensibleObject
<br>
> > cn: fixMemberOf
<br>
> > basedn:
o=Internal,dc=ssiservices,dc=biz
<br>
> >
<br>
> > creatorsName: cn=xxxx
<br>
> > modifiersName: cn=xxx
<br>
> > createTimestamp: 20090521021132Z
<br>
> > modifyTimestamp: 20090521021132Z
<br>
> >
<br>
> > time: 20090520221333
<br>
> > dn: cn=fixmemberof,cn=memberof
<br>
> task,cn=tasks,cn=config
<br>
> > changetype: delete
<br>
> > modifiersname:
<br>
cn=server,cn=plugins,cn=config
<br>
> >
<br>
> > time: 20090520222242
<br>
> > dn: cn=fixMemberOf,cn=memberof
<br>
> task,cn=tasks,cn=config
<br>
> > changetype: add
<br>
> >
<br>
> > objectClass: top
<br>
> > objectClass: extensibleObject
<br>
> > cn: fixMemberOf
<br>
> > basedn:
<br>
> ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
<br>
> > creatorsName: cn=xxxx
<br>
> > modifiersName: cn=xxxx
<br>
> > createTimestamp: 20090521022242Z
<br>
> > modifyTimestamp: 20090521022242Z
<br>
> >
<br>
> > time: 20090520222442
<br>
> > dn: cn=fixmemberof,cn=memberof
<br>
> task,cn=tasks,cn=config
<br>
> > changetype: delete
<br>
> > modifiersname:
<br>
cn=server,cn=plugins,cn=config
<br>
> >
<br>
> > .
<br>
> > .
<br>
> > .
<br>
> > time: 20090521183523
<br>
> > dn:
cn=memberOf_fixup_2009_5_21_18_35_23,
<br>
> cn=memberOf task,
<br>
> > cn=tasks,
<br>
> > cn=config
<br>
> > changetype: add
<br>
> > objectClass: top
<br>
> > objectClass: extensibleObject
<br>
> > cn: memberOf_fixup_2009_5_21_18_35_23
<br>
> > basedn:
o=Internal,dc=ssiservices,dc=biz
<br>
> >
<br>
> > filter: (objectClass=inetOrgPerson)
<br>
> > creatorsName: cn=xxxx
<br>
> > modifiersName: cn=xxxx
<br>
> > createTimestamp: 20090521223523Z
<br>
> > modifyTimestamp: 20090521223523Z
<br>
> >
<br>
> > time: 20090521183724
<br>
> > dn:
<br>
cn=memberof_fixup_2009_5_21_18_35_23,cn=memberof
<br>
> > task,cn=tasks,cn=config
<br>
> >
<br>
> > changetype: delete
<br>
> > modifiersname:
<br>
cn=server,cn=plugins,cn=config
<br>
> >
<br>
> > time: 20090521185804
<br>
> > dn:
<br>
> >
<br>
>
<br>
cn=general,ou=1.1,ou=console,ou=cn=xxxxx,ou=userpreferences,ou=ssiservices.biz,o=netscaperoot
<br>
> > changetype: modify
<br>
> > replace: nsPreference
<br>
> > nsPreference::
<br>
> >
<br>
>
<br>
IwojVGh1IE1heSAyMSAxODo1ODowNSBFRFQgMjAwOQpXaWR0aD0xMjgwClNob3
<br>
> >
<br>
> >
<br>
>
<br>
dTdGF0dXNCYXI9dHJ1ZQpTaG93QmFubmVyQmFyPXRydWUKWT0wCkhlaWdodD03NjkKWD0wCg==
<br>
> > -
<br>
> > replace: modifiersname
<br>
> > modifiersname: cn=xxxxx
<br>
> > -
<br>
> > replace: modifytimestamp
<br>
> > modifytimestamp: 20090521225804Z
<br>
> > -
<br>
> >
<br>
> >
<br>
> > On Thu, 2009-05-21 at 15:59 +0200,
Andrey
<br>
Ivanov
<br>
> wrote:
<br>
> > >
<br>
> > >
<br>
> > > 2009/5/21 John A. Sullivan III
<br>
> > <a class="moz-txt-link-rfc2396E" href="mailto:jsullivan@opensourcedevel.com"><jsullivan@opensourcedevel.com></a>
<br>
> > > Thank you, Andrey. I
did do an
<br>
updatedb
<br>
> and then
<br>
> > locate - no
<br>
> > > fixup-member0f.pl - just
<br>
> > template.fixup-memberOf.pl :-(
<br>
> > > It is very strange. Normally
during the
<br>
server
<br>
> installation
<br>
> > the
<br>
> > > template should be converted to
the
<br>
"normal" perl
<br>
> script.
<br>
> > >
<br>
> > > Have you verified the
configuration of
<br>
the
<br>
> memberOf plugin,
<br>
> > especially
<br>
> > > the arguments/attributes
<br>
"memberofgroupattr" and
<br>
> > "memberofattr" ?
<br>
> > >
<br>
> > >
<br>
> > >
<br>
> > >
<br>
> > >
<br>
> > >
<br>
> > > Unless I'm missing
something,
<br>
you're
<br>
> ldapmodify
<br>
> > looks just
<br>
> > > like mine
<br>
> > > except for the cn (I
believe the
<br>
> documentation says
<br>
> > it can be
<br>
> > > called
<br>
> > > anything) and I did not
use a
<br>
filter
<br>
> (again, I
<br>
> > believe the
<br>
> > > documentation
<br>
> > > says it is optional and
our dit
<br>
is still
<br>
> rather
<br>
> > small).
<br>
> > > If you do not put the filter
into the
<br>
ldif then
<br>
> the default
<br>
> > filter is
<br>
> > > used : "(objectClass=inetuser)".
Do all
<br>
your user
<br>
> entries
<br>
> > include this
<br>
> > > objectClass (inetuser)? If not,
you
<br>
should add
<br>
> this
<br>
> > objectClass to all
<br>
> > > the entries where you want the
memberOf
<br>
attribute
<br>
> to appear.
<br>
> > >
<br>
> > >
<br>
> > >
<br>
> > >
<br>
> > > I did create a new group
and add
<br>
myself to
<br>
> it as you
<br>
> > suggested
<br>
> > > (thank
<br>
> > > you). Surprisingly, it
did not
<br>
appear to
<br>
> work. I
<br>
> > did not see
<br>
> > > a
<br>
> > > memberOf attribute
populated for
<br>
me. I
<br>
> then thought
<br>
> > I would
<br>
> > > see if I
<br>
> > > need to manually add
that
<br>
attribute to
<br>
> each user (I
<br>
> > hope not!)
<br>
> > > and I did
<br>
> > > not see memberOf as an
attribute
<br>
I could
<br>
> add to my
<br>
> > user
<br>
> > > object.
<br>
> > >
<br>
> > > No. You should not add it
manually, the
<br>
memberOf
<br>
> attribute
<br>
> > is
<br>
> > > maintained automatically based
on the
<br>
group
<br>
> membership.
<br>
> > >
<br>
> > > Do you see any message in error
log?
<br>
There should
<br>
> be
<br>
> > something about
<br>
> > > the impossibility to write the
memberof
<br>
attribute
<br>
> i think.
<br>
> > > If you cannot add this attribute
<br>
manually to your
<br>
> entry it
<br>
> > means that
<br>
> > > your entry does not containe
<br>
"objectClass:
<br>
> inetuser". Add
<br>
> > this
<br>
> > > objectClass to all the entries
that
<br>
should be
<br>
> "managed" by
<br>
> > the plug-in
<br>
> > > to allow the attribute memberOf
to be
<br>
written to
<br>
> that
<br>
> > entries.
<br>
> > >
<br>
> > >
<br>
> > >
<br>
> > >
<br>
> > > I have verified that the
plugin
<br>
is defined
<br>
> in
<br>
> > dse.ldif and it
<br>
> > > is
<br>
> > > enabled. I also see
memberOf
<br>
defined in
<br>
> > 20subscriber.ldif and
<br>
> > > did not
<br>
> > > see anything in the
<br>
documentation about
<br>
> needing to
<br>
> > extend the
<br>
> > > schema.
<br>
> > > No, you don't need to extend the
schema
<br>
but you
<br>
> need to make
<br>
> > sure that
<br>
> > > your entries include the
objectClass
<br>
"inetuser":
<br>
> > >
<br>
> > > objectClasses:
<br>
( 2.16.840.1.113730.3.2.130 NAME
<br>
> 'inetUser'
<br>
> > DESC
<br>
> > > 'Auxiliary class which must be
present
<br>
in an entry
<br>
> for
<br>
> > delivery of
<br>
> > > subscriber services' SUP top
AUXILIARY
<br>
MAY ( uid $
<br>
> > inetUserStatus $
<br>
> > > inetUserHTTPURL $ userPassword $
<br>
memberOf )
<br>
> X-ORIGIN
<br>
> > 'Netscape
<br>
> > > subscriber interoperability' )
<br>
> > >
<br>
> > >
<br>
> > >
<br>
> > >
<br>
> > >
<br>
> > > So, at this point, I am
still at
<br>
a loss
<br>
> for what I
<br>
> > did wrong.
<br>
> > > What do I
<br>
> > > check next? Thanks -
John
<br>
> > > Try to add the "objectClass:
inetuser"
<br>
to the
<br>
> entries
<br>
> > concerned and
<br>
> > > take a closer look to the
"errors" log
<br>
file.
<br>
> > >
<br>
> > > @+
<br>
> > >
<br>
> > >
<br>
> > >
<br>
> > >
<br>
> > >
<br>
> > > On Thu, 2009-05-21 at
12:59
<br>
+0200, Andrey
<br>
> Ivanov
<br>
> > wrote:
<br>
> > > > Hi,
<br>
> > > >
<br>
> > > > there are two
things to be
<br>
verified
<br>
> and/or taken
<br>
> > into
<br>
> > > account:
<br>
> > > > * the pair of the
attributes
<br>
that is
<br>
> maintained
<br>
> > (the
<br>
> > > arguments
<br>
> > > > "memberofgroupattr"
and
<br>
"memberofattr"
<br>
> of the
<br>
> > plug-in)
<br>
> > > > * presence of these
two
<br>
attributes in
<br>
> the classes
<br>
> > of your
<br>
> > > users and
<br>
> > > > groups
<br>
> > > >
<br>
> > > > To find
fixup-memberof.pl try
<br>
"locate
<br>
> > fixup-memberof.pl".
<br>
> > > >
<br>
> > > > To launch it
manually you
<br>
need to add
<br>
> something
<br>
> > like that
<br>
> > > to the
<br>
> > > > server (with
ldapmodify) :
<br>
> > > > dn:
<br>
> cn=memberOf_fixup_2009_5_21_12_39_21,
<br>
> > cn=memberOf task,
<br>
> > > cn=tasks,
<br>
> > > > cn=config
<br>
> > > > changetype: add
<br>
> > > > objectclass: top
<br>
> > > > objectclass:
extensibleObject
<br>
> > > > cn:
<br>
memberOf_fixup_2009_5_21_12_39_21
<br>
> > > > basedn:
dc=example,dc=com
<br>
> > > > filter:
<br>
(objectClass=inetOrgPerson)
<br>
> > > >
<br>
> > > >
<br>
> > > > As for your
account, you may
<br>
remove/add
<br>
> yourself
<br>
> > from a
<br>
> > > group to see
<br>
> > > > if it changes the
memberof
<br>
attribute.
<br>
> Verify the
<br>
> > objectClass
<br>
> > > of your
<br>
> > > > entry and make sure
the
<br>
attribute
<br>
> memberOf is an
<br>
> > optional
<br>
> > > attribute of
<br>
> > > > at least one of
these
<br>
objectClasses...
<br>
> > > >
<br>
> > > >
<br>
> > > >
<br>
> > > > 2009/5/21 John A.
Sullivan III
<br>
> > >
<a class="moz-txt-link-rfc2396E" href="mailto:jsullivan@opensourcedevel.com"><jsullivan@opensourcedevel.com></a>
<br>
> > > > Hello,
all. We are in
<br>
the
<br>
> process of
<br>
> > upgrading from
<br>
> > > 8.0 to
<br>
> > > > 8.1. We've
<br>
> > > > hit a few
glitches
<br>
along the way
<br>
> but most
<br>
> > has gone
<br>
> > > well.
<br>
> > > > However,
we
<br>
> > > > wanted to
implement
<br>
the new
<br>
> memberOf
<br>
> > functionality.
<br>
> > > We
<br>
> > > >
successfully
<br>
> > > > added the
plugin by
<br>
editing
<br>
> dse.ldif and
<br>
> > enabled it
<br>
> > > from the
<br>
> > > > console.
<br>
> > > > However,
we've been
<br>
unsuccessful
<br>
> in having
<br>
> > existing
<br>
> > > group
<br>
> > > > membership
<br>
> > > > assigned to
the
<br>
memberOf
<br>
> attribute.
<br>
> > > >
<br>
> > > > We first
tried to run
<br>
> fixup-memberOf.pl
<br>
> > but the
<br>
> > > script does
<br>
> > > > not exist.
<br>
> > > > There is a
<br>
> template.fixup-memberOf.pl but
<br>
> > this does
<br>
> > > not seem
<br>
> > > > to have
<br>
> > > > been built
into a
<br>
final script.
<br>
> > > >
<br>
> > > > We then
thought we
<br>
would use the
<br>
> new task
<br>
> > feature of
<br>
> > > the
<br>
> > > > console.
We
<br>
> > > > went to
cn=memberof
<br>
> > task,cn=tasks,cn=config and
<br>
> > > tried to
<br>
> > > > create the
task
<br>
> > > > object.
There was no
<br>
> > nsDirectoryServerTask
<br>
> > > objectclass. We
<br>
> > > > added an
<br>
> > > > nstask but
then found
<br>
there was
<br>
> no basedn
<br>
> > attribute
<br>
> > > we could
<br>
> > > > add. We
<br>
> > > > then
created an
<br>
extensibleobject
<br>
> instead
<br>
> > but still
<br>
> > > not basedn
<br>
> > > > attribute.
<br>
> > > >
<br>
> > > > Finally, we
resorted
<br>
to
<br>
> ldapmodify (we
<br>
> > hesitated
<br>
> > > just because
<br>
> > > > we are not
<br>
> > > > very
familiar with the
<br>
command
<br>
> line
<br>
> > tools). First,
<br>
> > > we did:
<br>
> > > >
<br>
> > > > dn:
<br>
cn=fixMemberOf,cn=memberof
<br>
> > > task,cn=tasks,cn=config
<br>
> > > > changetype:
add
<br>
> > > >
objectclass: top
<br>
> > > >
objectclass:
<br>
extensibleObject
<br>
> > > > cn:
fixMemberOf
<br>
> > > > basedn:
<br>
> o=Internal,dc=ssiservices,dc=biz
<br>
> > > >
<br>
> > > > The
Internal
<br>
Organization has
<br>
> several
<br>
> > organizations
<br>
> > > under it
<br>
> > > > (for
<br>
> > > > various
clients) and
<br>
then user
<br>
> > organizational units
<br>
> > > under
<br>
> > > > those
<br>
> > > >
organizations.
<br>
Although it
<br>
> generated no
<br>
> > errors, it
<br>
> > > did not
<br>
> > > > seem to
<br>
> > > > work.
Perhaps I just
<br>
don't know
<br>
> how to
<br>
> > test it.
<br>
> > > However, the
<br>
> > > > following
<br>
> > > > did not
return an
<br>
memberOf data:
<br>
> > > >
<br>
> > > >
<br>
/usr/lib64/mozldap/ldapsearch -b
<br>
> > > >
<br>
> > >
<br>
> >
<br>
>
<br>
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D
<br>
> > > >
"cn=Directory
<br>
> > > > Manager" -w
- -h ldap
<br>
uid=myid
<br>
> memberOf
<br>
> > > >
<br>
> > > >
<br>
> Doing /usr/lib64/mozldap/ldapsearch -b
<br>
> > > >
<br>
> > >
<br>
> >
<br>
>
<br>
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D
<br>
> > > >
"cn=Directory
<br>
> > > > Manager" -w
- -h ldap
<br>
uid=myid
<br>
> > > > showed me
plenty of
<br>
attributes
<br>
> but nothing
<br>
> > for
<br>
> > > memberOf
<br>
> > > >
<br>
> > > > I also
tried creating
<br>
the task
<br>
> with a
<br>
> > basedn of
<br>
> > > >
<br>
> >
<br>
ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz
<br>
> > > in case it
<br>
> > > > did not
<br>
> > > > change
objects lower
<br>
in the
<br>
> tree. Still
<br>
> > no success.
<br>
> > > >
<br>
> > > > Finally I
tried:
<br>
> > > >
<br>
> > > > dn:
<br>
cn=fixMemberOf,cn=memberof
<br>
> > > task,cn=tasks,cn=config
<br>
> > > > changetype:
add
<br>
> > > >
objectclass: top
<br>
> > > >
objectclass:
<br>
> nsDirectoryServerTask
<br>
> > > > cn:
fixMemberOf
<br>
> > > > basedn:
<br>
> o=Internal,dc=ssiservices,dc=biz
<br>
> > > >
<br>
> > > > adding new
entry
<br>
> > cn=fixMemberOf,cn=memberof
<br>
> > > >
<br>
task,cn=tasks,cn=config
<br>
> > > > ldap_add:
Object class
<br>
violation
<br>
> > > > ldap_add:
additional
<br>
info:
<br>
> unknown object
<br>
> > class
<br>
> > > >
<br>
"nsDirectoryServerTask"
<br>
> > > >
<br>
> > > > And
received the
<br>
expected
<br>
> unknown object
<br>
> > class
<br>
> > > error.
<br>
> > > >
<br>
> > > > What are we
doing
<br>
wrong? Are
<br>
> these
<br>
> > documentation
<br>
> > > bugs? Are
<br>
> > > > there
<br>
> > > > application
bugs or do
<br>
we simply
<br>
> not know
<br>
> > what we
<br>
> > > are doing
<br>
> > > > with tasks
<br>
> > > > and
memberOf? How do
<br>
we get the
<br>
> memberOf
<br>
> > information
<br>
> > > into our
<br>
> > > > existing
<br>
> > > > user
objects? Thanks -
<br>
John
<br>
> > > >
<br>
> > > >
<br>
</blockquote>
<snip>
<br>
</blockquote>
<br>
--
<br>
Fedora-directory-users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a>
<br>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/fedora-directory-users">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a>
<br>
<br>
</blockquote>
<br>
</body>
</html>