问题
I'm not very familiar with OpenLDAP, but I'm trying to get a local instance working in order to test a client in development, which needs the memberOf attribute.
I've downloaded and installed OpenLDAP on a Centos 7 VM, per the instructions at http://www.openldap.org/doc/admin24/guide.html#A Quick-Start Guide. I did not use package management to install it. Since I'm using 2.4.45, it's using the cn=config OLC config and not the slapd.conf configuration scheme
At step 4 above, I used the --enable-memberof and --enable-refint flag to the configure script. When I ran the pre-install tests, it did run the memberof tests, and they passed, so I know the overlay can be applied somehow.
I've tried the directions found at https://adimian.com/blog/2014/10/how-to-enable-memberof-using-openldap/ and, with slight variants, many other places. I've run into the following issues with this...
- Errors about an invalid objectClass oldModuleList during ldapadd
- Insufficient access errors during ldapadd
- I don't have a local directory that corresponds to the module path found in any of the examples. I don't seem to have the memberof.la file anywhere on the machine.
Is this even on the right track? Or will the process be different because I installed from source or used the --enable-memberof flag?
Let me know if there's any info I need to provide.
Update:
Currently, I am trying to add the entry with dn dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config as found in the linked instructions above. I get
# ldapadd -x -D "cn=Manager,dc=aaron,dc=com" -W -f member.ldif
Enter LDAP Password:
adding new entry "olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config"
ldap_add: Insufficient access (50)
Another update: Progress!
I added an olcRootPW to the cn=config database by editing
etc/slapd.d/cn=config/olcDatabase={0}config.ldif
then used that dn to run the ldapadd:
ldapadd -x -D "cn=config" -W -f member.ldif
I had to put the {0} and {1} back.
Trying to add the first refint ldif failed, but I think I don't need that since these aren't modules, but compiled directly into slapd based on how I configured it.
Now I'm trying to add the second refint entry and getting
[root@openldap openldap]# ldapadd -x -D "cn=config" -W -f refint2.ldif
Enter LDAP Password:
adding new entry "olcOverlay={1}refint,olcDatabase={1}mdb,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
additional info: olcRefintAttribute <manager>: attribute type undefined
回答1:
Adding this comment for users who might need additional information on this. This article clearly explains on how to enable memberOf overlay along with referential integrity. In fact it completely explains the end to end openLDAP implementation.
回答2:
So here's everything I had to do to get it working from my original issue:
Add an olcRootPW entry to the olcDatabase={0}config.ldif config entry. As EJP says, this is bad form, but since this is a local testing directory only, and I only want it to allow me to test a client...
Without the {0} and {1} items in the file, the load still failed. I but both back and it worked. I did not go back to check EJP's suggestion to only have the {1}.
Then the ldapadd command needs to be run with bind dn 'cn=config'. At that point the entry to enable the memberof config would add successfully.
I tried to add the first refint file, the one that does the module. This did not work, I got an error about the olcModuleList attribute. I think since I compiled the overlays directly into OpenLDAP via the --enable-memberof and --enable-refint I didn't need this part?
For the second refint file, the one to add the overlay, I just needed to remove the 'manager owner' part of the attributes, since my directory does not have those attributes. At this point the ldif added successfully.
Then I went into the directory and added users, groups, and assigned users to groups, and (once I told it to fetch the operational attributes) lo and behold my users had the appropriate memberOf attributes!
来源:https://stackoverflow.com/questions/46306929/problems-getting-openldap-memberof-working