The post summarises steps executed to setup openldap with memberof overlay on Ubuntu 12.04.
Background
Post-installation, this is how our cn=config looked-
ubuntu@PS6226:~/openldap/memberof$ sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn
dn: cn=config
dn: cn=module{0},cn=config
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}inetorgperson,cn=schema,cn=config
dn: olcBackend={0}hdb,cn=config
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}hdb,cn=config
Steps for setting up memberof overlay
Step 1: Load memberof module and configure memberof overlay
ubuntu@PS6226:~/openldap/memberof$ cat memberof_load_configure.ldif
dn: cn=module{1},cn=config
cn: module{1}
objectClass: olcModuleList
olcModuleLoad: memberof
olcModulePath: /usr/lib/ldapdn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
psl@PS6226:~/openldap/memberof$
ubuntu@PS6226:~/openldap/memberof$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f memberof_load_configure.ldif
adding new entry “cn=module{1},cn=config”
adding new entry “olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config”
Step 2: Add referential integrity to the ldap config
Modify the cn=module entry to load refint
ubuntu@PS6226:~/openldap/memberof$ cat 1refint.ldif
dn: cn=module{1},cn=config
add: olcmoduleload
olcmoduleload: refint
ubuntu@PS6226:~/openldap/memberof$
ubuntu@PS6226:~/openldap/memberof$ sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f 1refint.ldif
modifying entry “cn=module{1},cn=config”
Configure refint module
ubuntu@PS6226:~/openldap/memberof$ cat 2refint.ldif
dn: olcOverlay={1}refint,olcDatabase={1}hdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {1}refint
olcRefintAttribute: memberof member manager owner
ubuntu@PS6226:~/openldap/memberof$
ubuntu@PS6226:~/openldap/memberof$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f 2refint.ldif
adding new entry “olcOverlay={1}refint,olcDatabase={1}hdb,cn=config”
The system is configured to use memberof attribute for groups!
Step 3: Create groups and add members to the group
This is how our domain setup looked-
ubuntu@PS6226:~/openldap/memberof$ ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com dn
dn: dc=example,dc=com
dn: cn=admin,dc=example,dc=com
dn: ou=people,dc=example,dc=com
dn: ou=groups,dc=example,dc=com
dn: uid=john,ou=people,dc=example,dc=com
dn: uid=mahesh,ou=people,dc=example,dc=com
Add group
ubuntu@PS6226:~/openldap/memberof$ cat addgroup-groupofnames.ldif
dn: cn=peas_dev,ou=groups,dc=example,dc=com
objectClass: groupofnames
cn: peas_dev
description: All users
# add the group members all of which are
# assumed to exist under people
member: uid=john,ou=people,dc=example,dc=com
member: uid=mahesh,ou=people,dc=example,dc=com
ubuntu@PS6226:~/openldap/memberof$
ubuntu@PS6226:~/openldap/memberof$ ldapadd -x -D cn=admin,dc=example,dc=com -W -f groupofnames.ldif
Enter LDAP Password:
adding new entry “cn=peas_dev,ou=groups,dc=example,dc=com”
Check group membership
ubuntu@PS6226:~/openldap/memberof$ ldapsearch -x -LLL -H ldap:/// -b uid=mahesh,ou=people,dc=example,dc=com dn
dn: uid=mahesh,ou=people,dc=example,dc=comubuntu@PS6226:~/openldap/memberof$ ldapsearch -x -LLL -H ldap:/// -b uid=mahesh,ou=people,dc=example,dc=com dn memberof
dn: uid=mahesh,ou=people,dc=example,dc=com
memberOf: cn=peas_dev,ou=groups,dc=example,dc=com
References
- http://www.schenkels.nl/2013/03/how-to-setup-openldap-with-memberof-overlay-ubuntu-12-04/
- http://www.cbjck.de/2012/05/enabling-the-memberof-overlay-for-openldap/
- The first answer at the following link was useful- http://stackoverflow.com/questions/15818382/what-type-of-group-to-choose-in-openldap-for-grouping-users
“LDAP/X.500 defines only group objects which have member attributes, the inverse relation where a user object has a memberof attribute in OpenLDAP can be achieved with the
memberof
overlay. NDS/eDir and AD make this happen by magic. LDAP proper does not define dynamic bi-directional member/group objects/attributes. Related to that overlay is the refint overlay which helps complete the illusion (and also addresses the mildly irritating problem of a group always requiring at least one member).There are generally two interesting group types to pick,
groupOfNames
orgroupOfUniqueNames
, the first oneGroupOfNames
is suitable for most purposes. Other types of group have distinct purposes. Less common group-type objects are RFC 2256 roles (organizationalRole
), these are implicitly for for based role-based access control, but are otherwise similar to groups (thanks to EJP for the tip).
When it comes to user accounts, group object-types should not be thought of as exclusive, each type typically adds attributes to a user object in a compatible way (though anobjectClass
can be exclusive if it’s structural, that’s not something you’ll often have to worry about generally).”
- Few more concepts- http://www.openldap.org/doc/admin24/overlays.html#Reverse%20Group%20Membership%20Maintenance
- http://serverfault.com/questions/73213/how-do-i-configure-reverse-group-membership-maintenance-on-an-openldap-server
- For the ldapadd/search/modify syntax and help- https://help.ubuntu.com/12.10/serverguide/openldap-server.html
- Reference for creating group.ldif- http://www.zytrax.com/books/ldap/ch11/groups.html
- http://www.openldap.org/doc/admin24/overlays.html
[…] do so, make the following 3 files (courtesy to this […]
[…] do so, make the following 3 files (courtesy to this […]
[…] users are also loggin perfectly. Now I am trying to configure memberOf overlay by following link https://technicalnotes.wordpress.com/2014/04/19/openldap-setup-with-memberof-overlay/ which is not successful, googled a lot about it but in vain. Can someone please help me on how to […]
[…] users are also loggin perfectly. Now I am trying to configure memberOf overlay by following link https://technicalnotes.wordpress.com/2014/04/19/openldap-setup-with-memberof-overlay/ which is not successful, googled a lot about it but in vain. Can someone please help me on how to […]
Great detailed post. Thanks for sharing!