search

osixia / docker-openldap

OpenLDAP container image 🐳🌴
MIT License
4.05k stars 977 forks source link

memberOf not shown with groupOfUniqueNames overlay #75

Open lerignoux opened 8 years ago

lerignoux commented 8 years ago

I tried to use the latest (1.1.2 docker image and add a user and a groupOfUniqueNames) When adding a uniqueMember within the user memberOf attributes does not seem to be created;

Here is the ldiff I added in the bootstrap (as suggested in the documentation) :

dn: ou=contacts,dc=surycat,dc=com
changetype: add
objectClass: top
objectClass: organizationalUnit
description: Groups of contacts
ou: contacts

dn: ou=groups,dc=surycat,dc=com
changetype: add
objectClass: top
objectClass: organizationalUnit
description: Addressbook groups
ou: groups

dn: uid=bidon,ou=contacts,dc=surycat,dc=com
changetype: add
uid: bidon
cn: bidon
sn: bidon
objectClass: top
objectClass: inetOrgPerson

dn: cn=group,ou=groups,dc=surycat,dc=com
changetype: add
cn: group
objectClass: top
objectClass: groupOfUniqueNames
uniqueMember: uid=bidon,ou=contacts,dc=surycat,dc=com

After start of the container, a ldapsearch query returns :

# contacts, surycat.com
dn: ou=contacts,dc=surycat,dc=com
objectClass: top
objectClass: organizationalUnit
description: Groups of contacts
ou: contacts

# groups, surycat.com
dn: ou=groups,dc=surycat,dc=com
objectClass: top
objectClass: organizationalUnit
description: Addressbook groups
ou: groups

# bidon, contacts, surycat.com
dn: uid=bidon,ou=contacts,dc=surycat,dc=com
uid: bidon
cn: bidon
sn: bidon
objectClass: top
objectClass: inetOrgPerson

# group, groups, surycat.com
dn: cn=group,ou=groups,dc=surycat,dc=com
cn: group
objectClass: top
objectClass: groupOfUniqueNames
uniqueMember: uid=bidon,ou=contacts,dc=surycat,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 7
# numEntries: 6

I checked in the configuration, the overlay seem rightly configured regards to the 1.1.2 configuration.

dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcMemberOf
olcOverlay: {0}memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfUniqueNames
olcMemberOfMemberAD: uniqueMember
olcMemberOfMemberOfAD: memberOf

dn: olcOverlay={1}refint,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
olcOverlay: {1}refint
olcRefintAttribute: owner
olcRefintAttribute: manager
olcRefintAttribute: uniqueMember
olcRefintAttribute: member
olcRefintAttribute: memberOf

following other issues I also tried restarting the container and adding user then group afterwards to no avail.

I don't understand why the user MemberOf attribute is not set. Did I miss anything on the setup ?

after follow up it seem that a query with such a filter does return the users with the right memberOf.

ldapsearch -D 'cn=admin,dc=surycat,dc=com' -b 'dc=surycat,dc=com' 'memberOf=cn=group,ou=groups,dc=surycat,dc=com' -W

The memberOf attribute is just not displayed !

Why isn't this filed displayed ?

bruce-one commented 8 years ago

(Preface: my LDAP knowledge isn't amazing...)

I tried your example (with a slightly different dc, but otherwise the same) and retrieved the memberOf attribute.

Because the memberOf attribute is an operational attribute it needs to be requested explicitly, hence a search like:

ldapsearch -D 'cn=admin,dc=surycat,dc=com' -b 'dc=surycat,dc=com' 'memberOf=cn=group,ou=groups,dc=surycat,dc=com' -W memberOf

eg:

ldapsearch -x -h "127.0.0.1" -b dc=ldap-domain,dc=com -D "cn=admin,dc=ldap-domain,dc=com" -W '(uid=bidon)' memberOf

returned

# extended LDIF
#
# LDAPv3
# base <dc=ldap-domain,dc=com> with scope subtree
# filter: (uid=bidon)
# requesting: memberOf 
#
# bidon, contacts, ldap-domain.com
dn: uid=bidon,ou=contacts,dc=ldap-domain,dc=com
memberOf: cn=group,ou=groups,dc=ldap-domain,dc=com

# search result
search: 2
result: 0 Success

For me.