Issues with memberOf plugin for 389-ds

Posted on by vanja
  • I needed an LDAP server, fast, so I installed a 389-ds on an Ubuntu 18 LTS. One of the most irritating and not so well described necessities there is a memberOf plugin.

Turning it on in the Configuration -> Plugins section was not enough to make it work after a restart. A few more things should be done, namely:

  • in Advanced -> PropertyEditor of the memberOf plugin, the memberofgroupattr should be set to uniqueMember
  • a symlink is missing, so that a perl script can find DSUtil.pl file 
    root@ds:/tmp# ls -Alh /usr/ | grep 64
lrwxrwxrwx 1 root root 26 Oct 26 22:08 lib64 -> /usr/lib/x86_64-linux-gnu/
  • two more ldif files should be used to reconfigure slapd 
    root@ds:/tmp# cat ldif.ldif
dn: cn=MemberOf Plugin,cn=plugins,cn=config
changetype: modify
replace: memberofgroupattr
memberofgroupattr: uniqueMember
-
    root@ds:/tmp# cat ldif2.ldif
dn: cn=MemberOf Plugin,cn=plugins,cn=config
changetype: modify
replace: memberofattr
memberofattr: memberOf
-

    and should be loaded like this:

    ldapmodify -D "cn=directory manager" -w secret -p 636 -h ldaps://ds.example.org -v -f ldif.ldif
ldapmodify -D "cn=directory manager" -w secret -p 636 -h ldaps://ds.example.org -v -f ldif2.ldif

    After a restart, a new user should be added in ObjectClass section a value of inetuser, and an attribute of memberOf. Sub-sequential additions of the user created that way to the groups should now automatically display memberships in those groups in the memberOf section. There, it works!

Edit, 28.10.2019 – seems that a plugin named fixup-memberof.pl saves us manual work, so after the above-mentioned action is taken, dsgw can be used to add groups and users as usual, no  fuss about adding values and attributes manually.

Leave a Comment

Your email address will not be published. Required fields are marked *