memberOf not part of the operational attributes in 1.5.0

[EugenMayer]

Expected

I'am aware of the mass of older and newer memberOf questions (and issues) and i have looked at most of them (hopefully). As far as i understand and could check in the docker image, memberOf support was added by default and should work oout of the box if the steps i describe in Setup are taken care of.

Setup

• one uses a groupOfUniqueNames based group, which id do, see
• on is using uniqueMember for member is the group, which i do, see
• not sure, but it might be needed to use LDAP_RFC2307BIS_SCHEMA=true, which i tried, see - did not help either

As you can see, i'am using the vanilla image and using a ldif import via the mount here. It is a fairly easy setup to get a provisioned "test ldap" up and running with users, groups and thats about it.

Reproduction

You can reproduce this entire including a test ldap

git clone https://github.com/EugenMayer/docker-image-ldapexample
cd docker-image-ldapexample
docker-compose up -d
ldapsearch -x -H ldap://localhost:20389 -b "dc=kontextwork-test,dc=de" -D"cn=admin,dc=kontextwork-test,dc=de" -w"admin" + | grep memberOf

You should see no output

Background

I would say the setup is fairly vanilla and well documented, we could finally iron out why so many people have struggles. You can see the docs for this image under README.md - admin credentials / port can be seen in the ldapsearch above (and in the readme). You can also check the lidf used

SPOILER: i have this docker image running in production and an older build, both working with memberOf, but the config is based on upgrades from most probably 1.0. This might be the reason they are working.

[EugenMayer]

After skimming through the issue i found this one little hint with the order .. https://github.com/osixia/docker-openldap/issues/304#issuecomment-565549124

Basically i moved the groups to the very end of the ldif, creating the users before: https://github.com/EugenMayer/docker-image-ldapexample/commit/ef3d71c4fc0ac108b18b536fc24618f20a978e7b

This was all there was missing. Of course, that is not very obvious nor easy to spot / understand. So this for sure will cost another peoples time too. That ldif was dumped via ApacheStudio and the order is the order in the tree, and since accounts comes after groups important that ldif will fail for memberOf.

So one has to configure nothing for memberOf to work unless

• you want the group the have a different objectClass then groupOfUniqueNames
• you want the group to have a different member attirbute then uniqueMember

So you do not need to active LDAP_RFC2307BIS_SCHEMA or add anything else.

Be sure, if you use ldapsearch to either search with + to include operational attributes, or request memberOf specifically.

Not sure we should close this ticket or iron it out the be the standing example / source of the docs what is needed in the current form / 1.5.0.