openldap setup with memberof overlay

The post summarises steps executed to setup openldap with memberof overlay on Ubuntu 12.04.


Post-installation, this is how our cn=config looked-

ubuntu@PS6226:~/openldap/memberof$ sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn                                     
dn: cn=config
dn: cn=module{0},cn=config
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}inetorgperson,cn=schema,cn=config
dn: olcBackend={0}hdb,cn=config
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}hdb,cn=config

Steps for setting up memberof overlay

Step 1: Load memberof module and configure memberof overlay 

ubuntu@PS6226:~/openldap/memberof$ cat memberof_load_configure.ldif
dn: cn=module{1},cn=config
cn: module{1}
objectClass: olcModuleList
olcModuleLoad: memberof
olcModulePath: /usr/lib/ldap

dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf

ubuntu@PS6226:~/openldap/memberof$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f memberof_load_configure.ldif
adding new entry “cn=module{1},cn=config”

adding new entry “olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config”

Step 2: Add referential integrity to the ldap config

Modify the cn=module entry to load refint

ubuntu@PS6226:~/openldap/memberof$ cat 1refint.ldif
dn: cn=module{1},cn=config
add: olcmoduleload
olcmoduleload: refint

ubuntu@PS6226:~/openldap/memberof$ sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f 1refint.ldif
modifying entry “cn=module{1},cn=config”

Configure refint module

ubuntu@PS6226:~/openldap/memberof$ cat 2refint.ldif
dn: olcOverlay={1}refint,olcDatabase={1}hdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {1}refint
olcRefintAttribute: memberof member manager owner

ubuntu@PS6226:~/openldap/memberof$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f 2refint.ldif
adding new entry “olcOverlay={1}refint,olcDatabase={1}hdb,cn=config”

The system is configured to use memberof attribute for groups!

Step 3: Create groups and add members to the group

This is how our domain setup looked-

ubuntu@PS6226:~/openldap/memberof$ ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com dn
dn: dc=example,dc=com
dn: cn=admin,dc=example,dc=com
dn: ou=people,dc=example,dc=com
dn: ou=groups,dc=example,dc=com
dn: uid=john,ou=people,dc=example,dc=com
dn: uid=mahesh,ou=people,dc=example,dc=com

Add group

ubuntu@PS6226:~/openldap/memberof$ cat addgroup-groupofnames.ldif
dn: cn=peas_dev,ou=groups,dc=example,dc=com
objectClass: groupofnames
cn: peas_dev
description: All users
# add the group members all of which are
# assumed to exist under people
member: uid=john,ou=people,dc=example,dc=com
member: uid=mahesh,ou=people,dc=example,dc=com


ubuntu@PS6226:~/openldap/memberof$ ldapadd -x -D cn=admin,dc=example,dc=com -W -f groupofnames.ldif
Enter LDAP Password:
adding new entry “cn=peas_dev,ou=groups,dc=example,dc=com”

Check group membership

ubuntu@PS6226:~/openldap/memberof$ ldapsearch -x -LLL -H ldap:/// -b uid=mahesh,ou=people,dc=example,dc=com dn
dn: uid=mahesh,ou=people,dc=example,dc=com

ubuntu@PS6226:~/openldap/memberof$ ldapsearch -x -LLL -H ldap:/// -b uid=mahesh,ou=people,dc=example,dc=com dn memberof
dn: uid=mahesh,ou=people,dc=example,dc=com
memberOf: cn=peas_dev,ou=groups,dc=example,dc=com


  3. The first answer at the following link was useful-

“LDAP/X.500 defines only group objects which have member attributes, the inverse relation where a user object has a memberof attribute in OpenLDAP can be achieved with the memberof overlay. NDS/eDir and AD make this happen by magic. LDAP proper does not define dynamic bi-directional member/group objects/attributes. Related to that overlay is the refint overlay which helps complete the illusion (and also addresses the mildly irritating problem of a group always requiring at least one member).

There are generally two interesting group types to pick, groupOfNames or groupOfUniqueNames, the first one GroupOfNames is suitable for most purposes. Other types of group have distinct purposes. Less common group-type objects are RFC 2256 roles (organizationalRole), these are implicitly for for based role-based access control, but are otherwise similar to groups (thanks to EJP for the tip).
When it comes to user accounts, group object-types should not be thought of as exclusive, each type typically adds attributes to a user object in a compatible way (though an objectClass can be exclusive if it’s structural, that’s not something you’ll often have to worry about generally).”

  1. Few more concepts-
  3. For the ldapadd/search/modify syntax and help-
  4. Reference for creating group.ldif-

5 thoughts on “openldap setup with memberof overlay

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s