Discussion:
memberOf task problem
(too old to reply)
John A. Sullivan III
2009-05-21 02:45:40 UTC
Permalink
Hello, all. We are in the process of upgrading from 8.0 to 8.1. We've
hit a few glitches along the way but most has gone well. However, we
wanted to implement the new memberOf functionality. We successfully
added the plugin by editing dse.ldif and enabled it from the console.
However, we've been unsuccessful in having existing group membership
assigned to the memberOf attribute.

We first tried to run fixup-memberOf.pl but the script does not exist.
There is a template.fixup-memberOf.pl but this does not seem to have
been built into a final script.

We then thought we would use the new task feature of the console. We
went to cn=memberof task,cn=tasks,cn=config and tried to create the task
object. There was no nsDirectoryServerTask objectclass. We added an
nstask but then found there was no basedn attribute we could add. We
then created an extensibleobject instead but still not basedn attribute.

Finally, we resorted to ldapmodify (we hesitated just because we are not
very familiar with the command line tools). First, we did:

dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz

The Internal Organization has several organizations under it (for
various clients) and then user organizational units under those
organizations. Although it generated no errors, it did not seem to
work. Perhaps I just don't know how to test it. However, the following
did not return an memberOf data:

/usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory
Manager" -w - -h ldap uid=myid memberOf

Doing /usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory
Manager" -w - -h ldap uid=myid
showed me plenty of attributes but nothing for memberOf

I also tried creating the task with a basedn of
ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz in case it did not
change objects lower in the tree. Still no success.

Finally I tried:

dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectclass: top
objectclass: nsDirectoryServerTask
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz

adding new entry cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
ldap_add: Object class violation
ldap_add: additional info: unknown object class "nsDirectoryServerTask"

And received the expected unknown object class error.

What are we doing wrong? Are these documentation bugs? Are there
application bugs or do we simply not know what we are doing with tasks
and memberOf? How do we get the memberOf information into our existing
user objects? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
Andrey Ivanov
2009-05-21 10:59:54 UTC
Permalink
Hi,

there are two things to be verified and/or taken into account:
* the pair of the attributes that is maintained (the arguments
"memberofgroupattr" and "memberofattr" of the plug-in)
* presence of these two attributes in the classes of your users and groups

To find fixup-memberof.pl try "locate fixup-memberof.pl".

To launch it manually you need to add something like that to the server
(with ldapmodify) :
dn: cn=memberOf_fixup_2009_5_21_12_39_21, cn=memberOf task, cn=tasks,
cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
cn: memberOf_fixup_2009_5_21_12_39_21
basedn: dc=example,dc=com
filter: (objectClass=inetOrgPerson)


As for your account, you may remove/add yourself from a group to see if it
changes the memberof attribute. Verify the objectClass of your entry and
make sure the attribute memberOf is an optional attribute of at least one of
these objectClasses...



2009/5/21 John A. Sullivan III <jsullivan at opensourcedevel.com>
Post by John A. Sullivan III
Hello, all. We are in the process of upgrading from 8.0 to 8.1. We've
hit a few glitches along the way but most has gone well. However, we
wanted to implement the new memberOf functionality. We successfully
added the plugin by editing dse.ldif and enabled it from the console.
However, we've been unsuccessful in having existing group membership
assigned to the memberOf attribute.
We first tried to run fixup-memberOf.pl but the script does not exist.
There is a template.fixup-memberOf.pl but this does not seem to have
been built into a final script.
We then thought we would use the new task feature of the console. We
went to cn=memberof task,cn=tasks,cn=config and tried to create the task
object. There was no nsDirectoryServerTask objectclass. We added an
nstask but then found there was no basedn attribute we could add. We
then created an extensibleobject instead but still not basedn attribute.
Finally, we resorted to ldapmodify (we hesitated just because we are not
dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
The Internal Organization has several organizations under it (for
various clients) and then user organizational units under those
organizations. Although it generated no errors, it did not seem to
work. Perhaps I just don't know how to test it. However, the following
/usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory
Manager" -w - -h ldap uid=myid memberOf
Doing /usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory
Manager" -w - -h ldap uid=myid
showed me plenty of attributes but nothing for memberOf
I also tried creating the task with a basedn of
ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz in case it did not
change objects lower in the tree. Still no success.
dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectclass: top
objectclass: nsDirectoryServerTask
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
adding new entry cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
ldap_add: Object class violation
ldap_add: additional info: unknown object class "nsDirectoryServerTask"
And received the expected unknown object class error.
What are we doing wrong? Are these documentation bugs? Are there
application bugs or do we simply not know what we are doing with tasks
and memberOf? How do we get the memberOf information into our existing
user objects? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20090521/3b0c9eef/attachment.html
John A. Sullivan III
2009-05-21 11:33:18 UTC
Permalink
Thank you, Andrey. I did do an updatedb and then locate - no
fixup-member0f.pl - just template.fixup-memberOf.pl :-(

Unless I'm missing something, you're ldapmodify looks just like mine
except for the cn (I believe the documentation says it can be called
anything) and I did not use a filter (again, I believe the documentation
says it is optional and our dit is still rather small).

I did create a new group and add myself to it as you suggested (thank
you). Surprisingly, it did not appear to work. I did not see a
memberOf attribute populated for me. I then thought I would see if I
need to manually add that attribute to each user (I hope not!) and I did
not see memberOf as an attribute I could add to my user object.

I have verified that the plugin is defined in dse.ldif and it is
enabled. I also see memberOf defined in 20subscriber.ldif and did not
see anything in the documentation about needing to extend the schema.

So, at this point, I am still at a loss for what I did wrong. What do I
check next? Thanks - John
Post by Andrey Ivanov
Hi,
* the pair of the attributes that is maintained (the arguments
"memberofgroupattr" and "memberofattr" of the plug-in)
* presence of these two attributes in the classes of your users and groups
To find fixup-memberof.pl try "locate fixup-memberof.pl".
To launch it manually you need to add something like that to the
dn: cn=memberOf_fixup_2009_5_21_12_39_21, cn=memberOf task, cn=tasks,
cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
cn: memberOf_fixup_2009_5_21_12_39_21
basedn: dc=example,dc=com
filter: (objectClass=inetOrgPerson)
As for your account, you may remove/add yourself from a group to see
if it changes the memberof attribute. Verify the objectClass of your
entry and make sure the attribute memberOf is an optional attribute of
at least one of these objectClasses...
2009/5/21 John A. Sullivan III <jsullivan at opensourcedevel.com>
Hello, all. We are in the process of upgrading from 8.0 to 8.1. We've
hit a few glitches along the way but most has gone well.
However, we
wanted to implement the new memberOf functionality. We successfully
added the plugin by editing dse.ldif and enabled it from the console.
However, we've been unsuccessful in having existing group membership
assigned to the memberOf attribute.
We first tried to run fixup-memberOf.pl but the script does not exist.
There is a template.fixup-memberOf.pl but this does not seem to have
been built into a final script.
We then thought we would use the new task feature of the console. We
went to cn=memberof task,cn=tasks,cn=config and tried to create the task
object. There was no nsDirectoryServerTask objectclass. We added an
nstask but then found there was no basedn attribute we could add. We
then created an extensibleobject instead but still not basedn attribute.
Finally, we resorted to ldapmodify (we hesitated just because we are not
dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
The Internal Organization has several organizations under it (for
various clients) and then user organizational units under those
organizations. Although it generated no errors, it did not seem to
work. Perhaps I just don't know how to test it. However, the following
/usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory
Manager" -w - -h ldap uid=myid memberOf
Doing /usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory
Manager" -w - -h ldap uid=myid
showed me plenty of attributes but nothing for memberOf
I also tried creating the task with a basedn of
ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz in case it did not
change objects lower in the tree. Still no success.
dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectclass: top
objectclass: nsDirectoryServerTask
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
adding new entry cn=fixMemberOf,cn=memberof
task,cn=tasks,cn=config
ldap_add: Object class violation
ldap_add: additional info: unknown object class
"nsDirectoryServerTask"
And received the expected unknown object class error.
What are we doing wrong? Are these documentation bugs? Are there
application bugs or do we simply not know what we are doing with tasks
and memberOf? How do we get the memberOf information into our existing
user objects? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
Andrey Ivanov
2009-05-21 13:59:58 UTC
Permalink
2009/5/21 John A. Sullivan III <jsullivan at opensourcedevel.com>
Post by John A. Sullivan III
Thank you, Andrey. I did do an updatedb and then locate - no
fixup-member0f.pl - just template.fixup-memberOf.pl :-(
It is very strange. Normally during the server installation the template
should be converted to the "normal" perl script.

Have you verified the configuration of the memberOf plugin, especially the
arguments/attributes "memberofgroupattr" and "memberofattr" ?
Post by John A. Sullivan III
Unless I'm missing something, you're ldapmodify looks just like mine
except for the cn (I believe the documentation says it can be called
anything) and I did not use a filter (again, I believe the documentation
says it is optional and our dit is still rather small).
If you do not put the filter into the ldif then the default filter is used :
"(objectClass=inetuser)". Do all your user entries include this objectClass
(inetuser)? If not, you should add this objectClass to all the entries where
you want the memberOf attribute to appear.
Post by John A. Sullivan III
I did create a new group and add myself to it as you suggested (thank
you). Surprisingly, it did not appear to work. I did not see a
memberOf attribute populated for me. I then thought I would see if I
need to manually add that attribute to each user (I hope not!) and I did
not see memberOf as an attribute I could add to my user object.
No. You should not add it manually, the memberOf attribute is maintained
automatically based on the group membership.

Do you see any message in error log? There should be something about the
impossibility to write the memberof attribute i think.
If you cannot add this attribute manually to your entry it means that your
entry does not containe "objectClass: inetuser". Add this objectClass to all
the entries that should be "managed" by the plug-in to allow the attribute
memberOf to be written to that entries.
Post by John A. Sullivan III
I have verified that the plugin is defined in dse.ldif and it is
enabled. I also see memberOf defined in 20subscriber.ldif and did not
see anything in the documentation about needing to extend the schema.
No, you don't need to extend the schema but you need to make sure that your
entries include the objectClass "inetuser":

objectClasses: ( 2.16.840.1.113730.3.2.130 NAME 'inetUser' DESC 'Auxiliary
class which must be present in an entry for delivery of subscriber services'
SUP top AUXILIARY MAY ( uid $ inetUserStatus $ inetUserHTTPURL $
userPassword $ memberOf ) X-ORIGIN 'Netscape subscriber interoperability' )
Post by John A. Sullivan III
So, at this point, I am still at a loss for what I did wrong. What do I
check next? Thanks - John
Try to add the "objectClass: inetuser" to the entries concerned and take a
closer look to the "errors" log file.

@+
Post by John A. Sullivan III
Post by Andrey Ivanov
Hi,
* the pair of the attributes that is maintained (the arguments
"memberofgroupattr" and "memberofattr" of the plug-in)
* presence of these two attributes in the classes of your users and groups
To find fixup-memberof.pl try "locate fixup-memberof.pl".
To launch it manually you need to add something like that to the
dn: cn=memberOf_fixup_2009_5_21_12_39_21, cn=memberOf task, cn=tasks,
cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
cn: memberOf_fixup_2009_5_21_12_39_21
basedn: dc=example,dc=com
filter: (objectClass=inetOrgPerson)
As for your account, you may remove/add yourself from a group to see
if it changes the memberof attribute. Verify the objectClass of your
entry and make sure the attribute memberOf is an optional attribute of
at least one of these objectClasses...
2009/5/21 John A. Sullivan III <jsullivan at opensourcedevel.com>
Hello, all. We are in the process of upgrading from 8.0 to 8.1. We've
hit a few glitches along the way but most has gone well.
However, we
wanted to implement the new memberOf functionality. We successfully
added the plugin by editing dse.ldif and enabled it from the console.
However, we've been unsuccessful in having existing group membership
assigned to the memberOf attribute.
We first tried to run fixup-memberOf.pl but the script does not exist.
There is a template.fixup-memberOf.pl but this does not seem to have
been built into a final script.
We then thought we would use the new task feature of the console. We
went to cn=memberof task,cn=tasks,cn=config and tried to
create the task
object. There was no nsDirectoryServerTask objectclass. We added an
nstask but then found there was no basedn attribute we could add. We
then created an extensibleobject instead but still not basedn
attribute.
Finally, we resorted to ldapmodify (we hesitated just because
we are not
dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
The Internal Organization has several organizations under it (for
various clients) and then user organizational units under those
organizations. Although it generated no errors, it did not seem to
work. Perhaps I just don't know how to test it. However, the
following
/usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory
Manager" -w - -h ldap uid=myid memberOf
Doing /usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory
Manager" -w - -h ldap uid=myid
showed me plenty of attributes but nothing for memberOf
I also tried creating the task with a basedn of
ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz in case it did not
change objects lower in the tree. Still no success.
dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectclass: top
objectclass: nsDirectoryServerTask
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
adding new entry cn=fixMemberOf,cn=memberof
task,cn=tasks,cn=config
ldap_add: Object class violation
ldap_add: additional info: unknown object class
"nsDirectoryServerTask"
And received the expected unknown object class error.
What are we doing wrong? Are these documentation bugs? Are there
application bugs or do we simply not know what we are doing with tasks
and memberOf? How do we get the memberOf information into our existing
user objects? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20090521/644b89eb/attachment.html
Rich Megginson
2009-05-21 14:27:44 UTC
Permalink
Post by Andrey Ivanov
2009/5/21 John A. Sullivan III <jsullivan at opensourcedevel.com
<mailto:jsullivan at opensourcedevel.com>>
Thank you, Andrey. I did do an updatedb and then locate - no
fixup-member0f.pl - just template.fixup-memberOf.pl
<http://template.fixup-memberOf.pl> :-(
It is very strange. Normally during the server installation the
template should be converted to the "normal" perl script.
I think that is the problem here. The script is not created if you
already have an installation and just do an upgrade. If you want to use
the script with existing instances, just copy the template file
somewhere, and replace these tokens:
{{DS-ROOT}} - replace with the empty string - for FHS systems, this is
just ""
{{SERVER-NAME}} - your server FQDN
{{SERVER-PORT}} - your server port number (e.g. 389)

The script is really pretty simple - all it does is create an LDIF task
entry and add it using ldapmodify.
Post by Andrey Ivanov
Have you verified the configuration of the memberOf plugin, especially
the arguments/attributes "memberofgroupattr" and "memberofattr" ?
Unless I'm missing something, you're ldapmodify looks just like mine
except for the cn (I believe the documentation says it can be called
anything) and I did not use a filter (again, I believe the
documentation
says it is optional and our dit is still rather small).
If you do not put the filter into the ldif then the default filter is
used : "(objectClass=inetuser)". Do all your user entries include this
objectClass (inetuser)? If not, you should add this objectClass to all
the entries where you want the memberOf attribute to appear.
I did create a new group and add myself to it as you suggested (thank
you). Surprisingly, it did not appear to work. I did not see a
memberOf attribute populated for me. I then thought I would see if I
need to manually add that attribute to each user (I hope not!) and I did
not see memberOf as an attribute I could add to my user object.
No. You should not add it manually, the memberOf attribute is
maintained automatically based on the group membership.
Do you see any message in error log? There should be something about
the impossibility to write the memberof attribute i think.
If you cannot add this attribute manually to your entry it means that
your entry does not containe "objectClass: inetuser". Add this
objectClass to all the entries that should be "managed" by the plug-in
to allow the attribute memberOf to be written to that entries.
I have verified that the plugin is defined in dse.ldif and it is
enabled. I also see memberOf defined in 20subscriber.ldif and did not
see anything in the documentation about needing to extend the schema.
No, you don't need to extend the schema but you need to make sure that
objectClasses: ( 2.16.840.1.113730.3.2.130 NAME 'inetUser' DESC
'Auxiliary class which must be present in an entry for delivery of
subscriber services' SUP top AUXILIARY MAY ( uid $ inetUserStatus $
inetUserHTTPURL $ userPassword $ memberOf ) X-ORIGIN 'Netscape
subscriber interoperability' )
So, at this point, I am still at a loss for what I did wrong.
What do I
check next? Thanks - John
Try to add the "objectClass: inetuser" to the entries concerned and
take a closer look to the "errors" log file.
@+
Post by Andrey Ivanov
Hi,
* the pair of the attributes that is maintained (the arguments
"memberofgroupattr" and "memberofattr" of the plug-in)
* presence of these two attributes in the classes of your users and groups
To find fixup-memberof.pl try "locate fixup-memberof.pl".
To launch it manually you need to add something like that to the
dn: cn=memberOf_fixup_2009_5_21_12_39_21, cn=memberOf task,
cn=tasks,
Post by Andrey Ivanov
cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
cn: memberOf_fixup_2009_5_21_12_39_21
basedn: dc=example,dc=com
filter: (objectClass=inetOrgPerson)
As for your account, you may remove/add yourself from a group to see
if it changes the memberof attribute. Verify the objectClass of your
entry and make sure the attribute memberOf is an optional
attribute of
Post by Andrey Ivanov
at least one of these objectClasses...
2009/5/21 John A. Sullivan III <jsullivan at opensourcedevel.com
<mailto:jsullivan at opensourcedevel.com>>
Post by Andrey Ivanov
Hello, all. We are in the process of upgrading from 8.0 to
8.1. We've
hit a few glitches along the way but most has gone well.
However, we
wanted to implement the new memberOf functionality. We
successfully
added the plugin by editing dse.ldif and enabled it from the
console.
However, we've been unsuccessful in having existing group
membership
assigned to the memberOf attribute.
We first tried to run fixup-memberOf.pl but the script does
not exist.
There is a template.fixup-memberOf.pl
<http://template.fixup-memberOf.pl> but this does not seem
Post by Andrey Ivanov
to have
been built into a final script.
We then thought we would use the new task feature of the
console. We
went to cn=memberof task,cn=tasks,cn=config and tried to
create the task
object. There was no nsDirectoryServerTask objectclass. We
added an
nstask but then found there was no basedn attribute we could
add. We
then created an extensibleobject instead but still not
basedn
Post by Andrey Ivanov
attribute.
Finally, we resorted to ldapmodify (we hesitated just
because
Post by Andrey Ivanov
we are not
dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
The Internal Organization has several organizations under it
(for
various clients) and then user organizational units under those
organizations. Although it generated no errors, it did not
seem to
work. Perhaps I just don't know how to test it.
However, the
Post by Andrey Ivanov
following
/usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D
"cn=Directory
Manager" -w - -h ldap uid=myid memberOf
Doing /usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D
"cn=Directory
Manager" -w - -h ldap uid=myid
showed me plenty of attributes but nothing for memberOf
I also tried creating the task with a basedn of
ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz in
case it
Post by Andrey Ivanov
did not
change objects lower in the tree. Still no success.
dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectclass: top
objectclass: nsDirectoryServerTask
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
adding new entry cn=fixMemberOf,cn=memberof
task,cn=tasks,cn=config
ldap_add: Object class violation
ldap_add: additional info: unknown object class
"nsDirectoryServerTask"
And received the expected unknown object class error.
What are we doing wrong? Are these documentation bugs? Are
there
application bugs or do we simply not know what we are doing
with tasks
and memberOf? How do we get the memberOf information
into our
Post by Andrey Ivanov
existing
user objects? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
<mailto:jsullivan at opensourcedevel.com>
Post by Andrey Ivanov
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
<mailto:Fedora-directory-users at redhat.com>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
Post by Andrey Ivanov
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
<mailto:Fedora-directory-users at redhat.com>
Post by Andrey Ivanov
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com <mailto:jsullivan at opensourcedevel.com>
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
<mailto:Fedora-directory-users at redhat.com>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
------------------------------------------------------------------------
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20090521/2c62bd44/attachment.bin
John A. Sullivan III
2009-05-21 23:17:20 UTC
Permalink
I'm starting to feel really stupid here - still not working.

I thought the filter must be the problem for sure. I assumed from the
documentation that no filter meant the task would add the attribute for
everything that could take a memberOf attribute. I did not realize it
defaulted to inetuser. So I recreated the task with a filter of
(objectClass=inetOrgPerson) but it still did not seem to work.

I thought perhaps I was doing ldapmodify wrong (enter the parameters,
double enter, then CTL D) so I edited the fixup-memberof.pl script
according to Rich's instructions. It ran without error (by the way, it
reflects the admin password when using -w - !!!). But still no success.

Perhaps I am checking incorrectly. I did not expect to see memberOf
listed as an attribute in the advanced console screen for the user since
it is a managed attribute. But I did try to view it with an ldapsearch:

/usr/lib64/mozldap/ldapsearch -b
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory
Manager" -w - -h ldap uid=jasiii memberOf

Is this how I would check for success?

There is nothing suspicious in the error log. I do have the audit log
enabled. I see the creation and automatic deletion of the task but I do
not see any changes to objects to add and populate the memberOf
attribute. I'll paste in some excerpts below.

What next? Thanks - John

time: 20090520221132
dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
creatorsName: cn=xxxx
modifiersName: cn=xxx
createTimestamp: 20090521021132Z
modifyTimestamp: 20090521021132Z

time: 20090520221333
dn: cn=fixmemberof,cn=memberof task,cn=tasks,cn=config
changetype: delete
modifiersname: cn=server,cn=plugins,cn=config

time: 20090520222242
dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
cn: fixMemberOf
basedn: ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
creatorsName: cn=xxxx
modifiersName: cn=xxxx
createTimestamp: 20090521022242Z
modifyTimestamp: 20090521022242Z

time: 20090520222442
dn: cn=fixmemberof,cn=memberof task,cn=tasks,cn=config
changetype: delete
modifiersname: cn=server,cn=plugins,cn=config

.
.
.
time: 20090521183523
dn: cn=memberOf_fixup_2009_5_21_18_35_23, cn=memberOf task, cn=tasks,
cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
cn: memberOf_fixup_2009_5_21_18_35_23
basedn: o=Internal,dc=ssiservices,dc=biz
filter: (objectClass=inetOrgPerson)
creatorsName: cn=xxxx
modifiersName: cn=xxxx
createTimestamp: 20090521223523Z
modifyTimestamp: 20090521223523Z

time: 20090521183724
dn: cn=memberof_fixup_2009_5_21_18_35_23,cn=memberof
task,cn=tasks,cn=config
changetype: delete
modifiersname: cn=server,cn=plugins,cn=config

time: 20090521185804
dn:
cn=general,ou=1.1,ou=console,ou=cn=xxxxx,ou=userpreferences,ou=ssiservices.biz,o=netscaperoot
changetype: modify
replace: nsPreference
nsPreference::
IwojVGh1IE1heSAyMSAxODo1ODowNSBFRFQgMjAwOQpXaWR0aD0xMjgwClNob3

dTdGF0dXNCYXI9dHJ1ZQpTaG93QmFubmVyQmFyPXRydWUKWT0wCkhlaWdodD03NjkKWD0wCg==
-
replace: modifiersname
modifiersname: cn=xxxxx
-
replace: modifytimestamp
modifytimestamp: 20090521225804Z
-
Post by Andrey Ivanov
2009/5/21 John A. Sullivan III <jsullivan at opensourcedevel.com>
Thank you, Andrey. I did do an updatedb and then locate - no
fixup-member0f.pl - just template.fixup-memberOf.pl :-(
It is very strange. Normally during the server installation the
template should be converted to the "normal" perl script.
Have you verified the configuration of the memberOf plugin, especially
the arguments/attributes "memberofgroupattr" and "memberofattr" ?
Unless I'm missing something, you're ldapmodify looks just like mine
except for the cn (I believe the documentation says it can be called
anything) and I did not use a filter (again, I believe the documentation
says it is optional and our dit is still rather small).
If you do not put the filter into the ldif then the default filter is
used : "(objectClass=inetuser)". Do all your user entries include this
objectClass (inetuser)? If not, you should add this objectClass to all
the entries where you want the memberOf attribute to appear.
I did create a new group and add myself to it as you suggested (thank
you). Surprisingly, it did not appear to work. I did not see a
memberOf attribute populated for me. I then thought I would see if I
need to manually add that attribute to each user (I hope not!) and I did
not see memberOf as an attribute I could add to my user object.
No. You should not add it manually, the memberOf attribute is
maintained automatically based on the group membership.
Do you see any message in error log? There should be something about
the impossibility to write the memberof attribute i think.
If you cannot add this attribute manually to your entry it means that
your entry does not containe "objectClass: inetuser". Add this
objectClass to all the entries that should be "managed" by the plug-in
to allow the attribute memberOf to be written to that entries.
I have verified that the plugin is defined in dse.ldif and it is
enabled. I also see memberOf defined in 20subscriber.ldif and did not
see anything in the documentation about needing to extend the schema.
No, you don't need to extend the schema but you need to make sure that
objectClasses: ( 2.16.840.1.113730.3.2.130 NAME 'inetUser' DESC
'Auxiliary class which must be present in an entry for delivery of
subscriber services' SUP top AUXILIARY MAY ( uid $ inetUserStatus $
inetUserHTTPURL $ userPassword $ memberOf ) X-ORIGIN 'Netscape
subscriber interoperability' )
So, at this point, I am still at a loss for what I did wrong.
What do I
check next? Thanks - John
Try to add the "objectClass: inetuser" to the entries concerned and
take a closer look to the "errors" log file.
@+
Post by Andrey Ivanov
Hi,
there are two things to be verified and/or taken into
* the pair of the attributes that is maintained (the
arguments
Post by Andrey Ivanov
"memberofgroupattr" and "memberofattr" of the plug-in)
* presence of these two attributes in the classes of your
users and
Post by Andrey Ivanov
groups
To find fixup-memberof.pl try "locate fixup-memberof.pl".
To launch it manually you need to add something like that
to the
Post by Andrey Ivanov
dn: cn=memberOf_fixup_2009_5_21_12_39_21, cn=memberOf task,
cn=tasks,
Post by Andrey Ivanov
cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
cn: memberOf_fixup_2009_5_21_12_39_21
basedn: dc=example,dc=com
filter: (objectClass=inetOrgPerson)
As for your account, you may remove/add yourself from a
group to see
Post by Andrey Ivanov
if it changes the memberof attribute. Verify the objectClass
of your
Post by Andrey Ivanov
entry and make sure the attribute memberOf is an optional
attribute of
Post by Andrey Ivanov
at least one of these objectClasses...
2009/5/21 John A. Sullivan III
<jsullivan at opensourcedevel.com>
Post by Andrey Ivanov
Hello, all. We are in the process of upgrading from
8.0 to
Post by Andrey Ivanov
8.1. We've
hit a few glitches along the way but most has gone
well.
Post by Andrey Ivanov
However, we
wanted to implement the new memberOf functionality.
We
Post by Andrey Ivanov
successfully
added the plugin by editing dse.ldif and enabled it
from the
Post by Andrey Ivanov
console.
However, we've been unsuccessful in having existing
group
Post by Andrey Ivanov
membership
assigned to the memberOf attribute.
We first tried to run fixup-memberOf.pl but the
script does
Post by Andrey Ivanov
not exist.
There is a template.fixup-memberOf.pl but this does
not seem
Post by Andrey Ivanov
to have
been built into a final script.
We then thought we would use the new task feature of
the
Post by Andrey Ivanov
console. We
went to cn=memberof task,cn=tasks,cn=config and
tried to
Post by Andrey Ivanov
create the task
object. There was no nsDirectoryServerTask
objectclass. We
Post by Andrey Ivanov
added an
nstask but then found there was no basedn attribute
we could
Post by Andrey Ivanov
add. We
then created an extensibleobject instead but still
not basedn
Post by Andrey Ivanov
attribute.
Finally, we resorted to ldapmodify (we hesitated
just because
Post by Andrey Ivanov
we are not
very familiar with the command line tools). First,
dn: cn=fixMemberOf,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: add
objectclass: top
objectclass: extensibleObject
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
The Internal Organization has several organizations
under it
Post by Andrey Ivanov
(for
various clients) and then user organizational units
under
Post by Andrey Ivanov
those
organizations. Although it generated no errors, it
did not
Post by Andrey Ivanov
seem to
work. Perhaps I just don't know how to test it.
However, the
Post by Andrey Ivanov
following
/usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D
Post by Andrey Ivanov
"cn=Directory
Manager" -w - -h ldap uid=myid memberOf
Doing /usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D
Post by Andrey Ivanov
"cn=Directory
Manager" -w - -h ldap uid=myid
showed me plenty of attributes but nothing for
memberOf
Post by Andrey Ivanov
I also tried creating the task with a basedn of
ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz
in case it
Post by Andrey Ivanov
did not
change objects lower in the tree. Still no success.
dn: cn=fixMemberOf,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: add
objectclass: top
objectclass: nsDirectoryServerTask
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
adding new entry cn=fixMemberOf,cn=memberof
task,cn=tasks,cn=config
ldap_add: Object class violation
ldap_add: additional info: unknown object class
"nsDirectoryServerTask"
And received the expected unknown object class
error.
Post by Andrey Ivanov
What are we doing wrong? Are these documentation
bugs? Are
Post by Andrey Ivanov
there
application bugs or do we simply not know what we
are doing
Post by Andrey Ivanov
with tasks
and memberOf? How do we get the memberOf information
into our
Post by Andrey Ivanov
existing
user objects? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
Post by Andrey Ivanov
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
Andrey Ivanov
2009-05-22 06:31:19 UTC
Permalink
Can you show me the result of
/usr/lib64/mozldap/ldapsearch -b
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory Manager"
-w - -h ldap uid=jasiii objectClass

It will list all the objectClasses of your entry. If "objectClass: inetUser"
is not present in the result of this search you should, as i said in the
previous message, add this objectClass to all the entries you're going to
manage with memberOf plug-in, smth like:

dn: uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz changetype:
add
objectclass: inetUser

Hope it helps .



2009/5/22 John A. Sullivan III <jsullivan at opensourcedevel.com>
Post by John A. Sullivan III
I'm starting to feel really stupid here - still not working.
I thought the filter must be the problem for sure. I assumed from the
documentation that no filter meant the task would add the attribute for
everything that could take a memberOf attribute. I did not realize it
defaulted to inetuser. So I recreated the task with a filter of
(objectClass=inetOrgPerson) but it still did not seem to work.
I thought perhaps I was doing ldapmodify wrong (enter the parameters,
double enter, then CTL D) so I edited the fixup-memberof.pl script
according to Rich's instructions. It ran without error (by the way, it
reflects the admin password when using -w - !!!). But still no success.
Perhaps I am checking incorrectly. I did not expect to see memberOf
listed as an attribute in the advanced console screen for the user since
It should be visible as an attribute you can add (provided your entry has
"objectClass: inetUser")
Post by John A. Sullivan III
/usr/lib64/mozldap/ldapsearch -b
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory
Manager" -w - -h ldap uid=jasiii memberOf
Is this how I would check for success?
There is nothing suspicious in the error log. I do have the audit log
enabled. I see the creation and automatic deletion of the task but I do
not see any changes to objects to add and populate the memberOf
attribute. I'll paste in some excerpts below.
What next? Thanks - John
time: 20090520221132
dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
creatorsName: cn=xxxx
modifiersName: cn=xxx
createTimestamp: 20090521021132Z
modifyTimestamp: 20090521021132Z
time: 20090520221333
dn: cn=fixmemberof,cn=memberof task,cn=tasks,cn=config
changetype: delete
modifiersname: cn=server,cn=plugins,cn=config
time: 20090520222242
dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
cn: fixMemberOf
basedn: ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
creatorsName: cn=xxxx
modifiersName: cn=xxxx
createTimestamp: 20090521022242Z
modifyTimestamp: 20090521022242Z
time: 20090520222442
dn: cn=fixmemberof,cn=memberof task,cn=tasks,cn=config
changetype: delete
modifiersname: cn=server,cn=plugins,cn=config
.
.
.
time: 20090521183523
dn: cn=memberOf_fixup_2009_5_21_18_35_23, cn=memberOf task, cn=tasks,
cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
cn: memberOf_fixup_2009_5_21_18_35_23
basedn: o=Internal,dc=ssiservices,dc=biz
filter: (objectClass=inetOrgPerson)
creatorsName: cn=xxxx
modifiersName: cn=xxxx
createTimestamp: 20090521223523Z
modifyTimestamp: 20090521223523Z
time: 20090521183724
dn: cn=memberof_fixup_2009_5_21_18_35_23,cn=memberof
task,cn=tasks,cn=config
changetype: delete
modifiersname: cn=server,cn=plugins,cn=config
time: 20090521185804
cn=general,ou=1.1,ou=console,ou=cn=xxxxx,ou=userpreferences,ou=
ssiservices.biz,o=netscaperoot
changetype: modify
replace: nsPreference
IwojVGh1IE1heSAyMSAxODo1ODowNSBFRFQgMjAwOQpXaWR0aD0xMjgwClNob3
dTdGF0dXNCYXI9dHJ1ZQpTaG93QmFubmVyQmFyPXRydWUKWT0wCkhlaWdodD03NjkKWD0wCg==
-
replace: modifiersname
modifiersname: cn=xxxxx
-
replace: modifytimestamp
modifytimestamp: 20090521225804Z
-
Post by Andrey Ivanov
2009/5/21 John A. Sullivan III <jsullivan at opensourcedevel.com>
Thank you, Andrey. I did do an updatedb and then locate - no
fixup-member0f.pl - just template.fixup-memberOf.pl :-(
It is very strange. Normally during the server installation the
template should be converted to the "normal" perl script.
Have you verified the configuration of the memberOf plugin, especially
the arguments/attributes "memberofgroupattr" and "memberofattr" ?
Unless I'm missing something, you're ldapmodify looks just like mine
except for the cn (I believe the documentation says it can be called
anything) and I did not use a filter (again, I believe the
documentation
says it is optional and our dit is still rather small).
If you do not put the filter into the ldif then the default filter is
used : "(objectClass=inetuser)". Do all your user entries include this
objectClass (inetuser)? If not, you should add this objectClass to all
the entries where you want the memberOf attribute to appear.
I did create a new group and add myself to it as you suggested (thank
you). Surprisingly, it did not appear to work. I did not see a
memberOf attribute populated for me. I then thought I would see if I
need to manually add that attribute to each user (I hope not!)
and I did
not see memberOf as an attribute I could add to my user object.
No. You should not add it manually, the memberOf attribute is
maintained automatically based on the group membership.
Do you see any message in error log? There should be something about
the impossibility to write the memberof attribute i think.
If you cannot add this attribute manually to your entry it means that
your entry does not containe "objectClass: inetuser". Add this
objectClass to all the entries that should be "managed" by the plug-in
to allow the attribute memberOf to be written to that entries.
I have verified that the plugin is defined in dse.ldif and it is
enabled. I also see memberOf defined in 20subscriber.ldif and did not
see anything in the documentation about needing to extend the schema.
No, you don't need to extend the schema but you need to make sure that
objectClasses: ( 2.16.840.1.113730.3.2.130 NAME 'inetUser' DESC
'Auxiliary class which must be present in an entry for delivery of
subscriber services' SUP top AUXILIARY MAY ( uid $ inetUserStatus $
inetUserHTTPURL $ userPassword $ memberOf ) X-ORIGIN 'Netscape
subscriber interoperability' )
So, at this point, I am still at a loss for what I did wrong.
What do I
check next? Thanks - John
Try to add the "objectClass: inetuser" to the entries concerned and
take a closer look to the "errors" log file.
@+
Post by Andrey Ivanov
Hi,
there are two things to be verified and/or taken into
* the pair of the attributes that is maintained (the
arguments
Post by Andrey Ivanov
"memberofgroupattr" and "memberofattr" of the plug-in)
* presence of these two attributes in the classes of your
users and
Post by Andrey Ivanov
groups
To find fixup-memberof.pl try "locate fixup-memberof.pl".
To launch it manually you need to add something like that
to the
Post by Andrey Ivanov
dn: cn=memberOf_fixup_2009_5_21_12_39_21, cn=memberOf task,
cn=tasks,
Post by Andrey Ivanov
cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
cn: memberOf_fixup_2009_5_21_12_39_21
basedn: dc=example,dc=com
filter: (objectClass=inetOrgPerson)
As for your account, you may remove/add yourself from a
group to see
Post by Andrey Ivanov
if it changes the memberof attribute. Verify the objectClass
of your
Post by Andrey Ivanov
entry and make sure the attribute memberOf is an optional
attribute of
Post by Andrey Ivanov
at least one of these objectClasses...
2009/5/21 John A. Sullivan III
<jsullivan at opensourcedevel.com>
Post by Andrey Ivanov
Hello, all. We are in the process of upgrading from
8.0 to
Post by Andrey Ivanov
8.1. We've
hit a few glitches along the way but most has gone
well.
Post by Andrey Ivanov
However, we
wanted to implement the new memberOf functionality.
We
Post by Andrey Ivanov
successfully
added the plugin by editing dse.ldif and enabled it
from the
Post by Andrey Ivanov
console.
However, we've been unsuccessful in having existing
group
Post by Andrey Ivanov
membership
assigned to the memberOf attribute.
We first tried to run fixup-memberOf.pl but the
script does
Post by Andrey Ivanov
not exist.
There is a template.fixup-memberOf.pl but this does
not seem
Post by Andrey Ivanov
to have
been built into a final script.
We then thought we would use the new task feature of
the
Post by Andrey Ivanov
console. We
went to cn=memberof task,cn=tasks,cn=config and
tried to
Post by Andrey Ivanov
create the task
object. There was no nsDirectoryServerTask
objectclass. We
Post by Andrey Ivanov
added an
nstask but then found there was no basedn attribute
we could
Post by Andrey Ivanov
add. We
then created an extensibleobject instead but still
not basedn
Post by Andrey Ivanov
attribute.
Finally, we resorted to ldapmodify (we hesitated
just because
Post by Andrey Ivanov
we are not
very familiar with the command line tools). First,
dn: cn=fixMemberOf,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: add
objectclass: top
objectclass: extensibleObject
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
The Internal Organization has several organizations
under it
Post by Andrey Ivanov
(for
various clients) and then user organizational units
under
Post by Andrey Ivanov
those
organizations. Although it generated no errors, it
did not
Post by Andrey Ivanov
seem to
work. Perhaps I just don't know how to test it.
However, the
Post by Andrey Ivanov
following
/usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D
Post by Andrey Ivanov
"cn=Directory
Manager" -w - -h ldap uid=myid memberOf
Doing /usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D
Post by Andrey Ivanov
"cn=Directory
Manager" -w - -h ldap uid=myid
showed me plenty of attributes but nothing for
memberOf
Post by Andrey Ivanov
I also tried creating the task with a basedn of
ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz
in case it
Post by Andrey Ivanov
did not
change objects lower in the tree. Still no success.
dn: cn=fixMemberOf,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: add
objectclass: top
objectclass: nsDirectoryServerTask
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
adding new entry cn=fixMemberOf,cn=memberof
task,cn=tasks,cn=config
ldap_add: Object class violation
ldap_add: additional info: unknown object class
"nsDirectoryServerTask"
And received the expected unknown object class
error.
Post by Andrey Ivanov
What are we doing wrong? Are these documentation
bugs? Are
Post by Andrey Ivanov
there
application bugs or do we simply not know what we
are doing
Post by Andrey Ivanov
with tasks
and memberOf? How do we get the memberOf information
into our
Post by Andrey Ivanov
existing
user objects? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
Post by Andrey Ivanov
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20090522/944596bb/attachment.html
John A. Sullivan III
2009-05-22 12:02:19 UTC
Permalink
Ah, I did not do that as I thought the filter would make the change to
users with objectClass inetOrgPerson. I am virtually certain the users
do not explicitly have inetUser as an object class. Are they supposed
to? Is this done by default or is the need to add this object class to
all users in order to use memberOf missing from the documentation (or
overlooked by me!).

objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: account
objectClass: posixgroup
objectClass: shadowaccount

Thanks - John
Post by Andrey Ivanov
Can you show me the result of
/usr/lib64/mozldap/ldapsearch -b
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory
Manager" -w - -h ldap uid=jasiii objectClass
inetUser" is not present in the result of this search you should, as i
said in the previous message, add this objectClass to all the entries
dn: uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
changetype: add
objectclass: inetUser
Hope it helps .
2009/5/22 John A. Sullivan III <jsullivan at opensourcedevel.com>
I'm starting to feel really stupid here - still not working.
I thought the filter must be the problem for sure. I assumed from the
documentation that no filter meant the task would add the attribute for
everything that could take a memberOf attribute. I did not realize it
defaulted to inetuser. So I recreated the task with a filter of
(objectClass=inetOrgPerson) but it still did not seem to work.
I thought perhaps I was doing ldapmodify wrong (enter the parameters,
double enter, then CTL D) so I edited the fixup-memberof.pl script
according to Rich's instructions. It ran without error (by the way, it
reflects the admin password when using -w - !!!). But still no success.
Perhaps I am checking incorrectly. I did not expect to see memberOf
listed as an attribute in the advanced console screen for the user since
It should be visible as an attribute you can add (provided your entry
has "objectClass: inetUser")
/usr/lib64/mozldap/ldapsearch -b
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D
"cn=Directory
Manager" -w - -h ldap uid=jasiii memberOf
Is this how I would check for success?
There is nothing suspicious in the error log. I do have the audit log
enabled. I see the creation and automatic deletion of the task but I do
not see any changes to objects to add and populate the
memberOf
attribute. I'll paste in some excerpts below.
What next? Thanks - John
time: 20090520221132
dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
creatorsName: cn=xxxx
modifiersName: cn=xxx
createTimestamp: 20090521021132Z
modifyTimestamp: 20090521021132Z
time: 20090520221333
dn: cn=fixmemberof,cn=memberof task,cn=tasks,cn=config
changetype: delete
modifiersname: cn=server,cn=plugins,cn=config
time: 20090520222242
dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
cn: fixMemberOf
basedn: ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
creatorsName: cn=xxxx
modifiersName: cn=xxxx
createTimestamp: 20090521022242Z
modifyTimestamp: 20090521022242Z
time: 20090520222442
dn: cn=fixmemberof,cn=memberof task,cn=tasks,cn=config
changetype: delete
modifiersname: cn=server,cn=plugins,cn=config
.
.
.
time: 20090521183523
dn: cn=memberOf_fixup_2009_5_21_18_35_23, cn=memberOf task, cn=tasks,
cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
cn: memberOf_fixup_2009_5_21_18_35_23
basedn: o=Internal,dc=ssiservices,dc=biz
filter: (objectClass=inetOrgPerson)
creatorsName: cn=xxxx
modifiersName: cn=xxxx
createTimestamp: 20090521223523Z
modifyTimestamp: 20090521223523Z
time: 20090521183724
dn: cn=memberof_fixup_2009_5_21_18_35_23,cn=memberof
task,cn=tasks,cn=config
changetype: delete
modifiersname: cn=server,cn=plugins,cn=config
time: 20090521185804
cn=general,ou=1.1,ou=console,ou=cn=xxxxx,ou=userpreferences,ou=ssiservices.biz,o=netscaperoot
changetype: modify
replace: nsPreference
IwojVGh1IE1heSAyMSAxODo1ODowNSBFRFQgMjAwOQpXaWR0aD0xMjgwClNob3
dTdGF0dXNCYXI9dHJ1ZQpTaG93QmFubmVyQmFyPXRydWUKWT0wCkhlaWdodD03NjkKWD0wCg==
-
replace: modifiersname
modifiersname: cn=xxxxx
-
replace: modifytimestamp
modifytimestamp: 20090521225804Z
-
Post by Andrey Ivanov
2009/5/21 John A. Sullivan III
<jsullivan at opensourcedevel.com>
Post by Andrey Ivanov
Thank you, Andrey. I did do an updatedb and then
locate - no
Post by Andrey Ivanov
fixup-member0f.pl - just
template.fixup-memberOf.pl :-(
Post by Andrey Ivanov
It is very strange. Normally during the server installation
the
Post by Andrey Ivanov
template should be converted to the "normal" perl script.
Have you verified the configuration of the memberOf plugin,
especially
Post by Andrey Ivanov
the arguments/attributes "memberofgroupattr" and
"memberofattr" ?
Post by Andrey Ivanov
Unless I'm missing something, you're ldapmodify
looks just
Post by Andrey Ivanov
like mine
except for the cn (I believe the documentation says
it can be
Post by Andrey Ivanov
called
anything) and I did not use a filter (again, I
believe the
Post by Andrey Ivanov
documentation
says it is optional and our dit is still rather
small).
Post by Andrey Ivanov
If you do not put the filter into the ldif then the default
filter is
Post by Andrey Ivanov
used : "(objectClass=inetuser)". Do all your user entries
include this
Post by Andrey Ivanov
objectClass (inetuser)? If not, you should add this
objectClass to all
Post by Andrey Ivanov
the entries where you want the memberOf attribute to appear.
I did create a new group and add myself to it as you
suggested
Post by Andrey Ivanov
(thank
you). Surprisingly, it did not appear to work. I
did not see
Post by Andrey Ivanov
a
memberOf attribute populated for me. I then thought
I would
Post by Andrey Ivanov
see if I
need to manually add that attribute to each user (I
hope not!)
Post by Andrey Ivanov
and I did
not see memberOf as an attribute I could add to my
user
Post by Andrey Ivanov
object.
No. You should not add it manually, the memberOf attribute
is
Post by Andrey Ivanov
maintained automatically based on the group membership.
Do you see any message in error log? There should be
something about
Post by Andrey Ivanov
the impossibility to write the memberof attribute i think.
If you cannot add this attribute manually to your entry it
means that
Post by Andrey Ivanov
your entry does not containe "objectClass: inetuser". Add
this
Post by Andrey Ivanov
objectClass to all the entries that should be "managed" by
the plug-in
Post by Andrey Ivanov
to allow the attribute memberOf to be written to that
entries.
Post by Andrey Ivanov
I have verified that the plugin is defined in
dse.ldif and it
Post by Andrey Ivanov
is
enabled. I also see memberOf defined in
20subscriber.ldif and
Post by Andrey Ivanov
did not
see anything in the documentation about needing to
extend the
Post by Andrey Ivanov
schema.
No, you don't need to extend the schema but you need to make
sure that
Post by Andrey Ivanov
objectClasses: ( 2.16.840.1.113730.3.2.130 NAME 'inetUser'
DESC
Post by Andrey Ivanov
'Auxiliary class which must be present in an entry for
delivery of
Post by Andrey Ivanov
subscriber services' SUP top AUXILIARY MAY ( uid $
inetUserStatus $
Post by Andrey Ivanov
inetUserHTTPURL $ userPassword $ memberOf ) X-ORIGIN
'Netscape
Post by Andrey Ivanov
subscriber interoperability' )
So, at this point, I am still at a loss for what I
did wrong.
Post by Andrey Ivanov
What do I
check next? Thanks - John
Try to add the "objectClass: inetuser" to the entries
concerned and
Post by Andrey Ivanov
take a closer look to the "errors" log file.
@+
On Thu, 2009-05-21 at 12:59 +0200, Andrey Ivanov
Post by Andrey Ivanov
Hi,
there are two things to be verified and/or taken
into
Post by Andrey Ivanov
Post by Andrey Ivanov
* the pair of the attributes that is maintained
(the
Post by Andrey Ivanov
arguments
Post by Andrey Ivanov
"memberofgroupattr" and "memberofattr" of the
plug-in)
Post by Andrey Ivanov
Post by Andrey Ivanov
* presence of these two attributes in the classes
of your
Post by Andrey Ivanov
users and
Post by Andrey Ivanov
groups
To find fixup-memberof.pl try "locate
fixup-memberof.pl".
Post by Andrey Ivanov
Post by Andrey Ivanov
To launch it manually you need to add something
like that
Post by Andrey Ivanov
to the
Post by Andrey Ivanov
dn: cn=memberOf_fixup_2009_5_21_12_39_21,
cn=memberOf task,
Post by Andrey Ivanov
cn=tasks,
Post by Andrey Ivanov
cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
cn: memberOf_fixup_2009_5_21_12_39_21
basedn: dc=example,dc=com
filter: (objectClass=inetOrgPerson)
As for your account, you may remove/add yourself
from a
Post by Andrey Ivanov
group to see
Post by Andrey Ivanov
if it changes the memberof attribute. Verify the
objectClass
Post by Andrey Ivanov
of your
Post by Andrey Ivanov
entry and make sure the attribute memberOf is an
optional
Post by Andrey Ivanov
attribute of
Post by Andrey Ivanov
at least one of these objectClasses...
2009/5/21 John A. Sullivan III
<jsullivan at opensourcedevel.com>
Post by Andrey Ivanov
Hello, all. We are in the process of
upgrading from
Post by Andrey Ivanov
8.0 to
Post by Andrey Ivanov
8.1. We've
hit a few glitches along the way but most
has gone
Post by Andrey Ivanov
well.
Post by Andrey Ivanov
However, we
wanted to implement the new memberOf
functionality.
Post by Andrey Ivanov
We
Post by Andrey Ivanov
successfully
added the plugin by editing dse.ldif and
enabled it
Post by Andrey Ivanov
from the
Post by Andrey Ivanov
console.
However, we've been unsuccessful in having
existing
Post by Andrey Ivanov
group
Post by Andrey Ivanov
membership
assigned to the memberOf attribute.
We first tried to run fixup-memberOf.pl
but the
Post by Andrey Ivanov
script does
Post by Andrey Ivanov
not exist.
There is a template.fixup-memberOf.pl but
this does
Post by Andrey Ivanov
not seem
Post by Andrey Ivanov
to have
been built into a final script.
We then thought we would use the new task
feature of
Post by Andrey Ivanov
the
Post by Andrey Ivanov
console. We
went to cn=memberof
task,cn=tasks,cn=config and
Post by Andrey Ivanov
tried to
Post by Andrey Ivanov
create the task
object. There was no
nsDirectoryServerTask
Post by Andrey Ivanov
objectclass. We
Post by Andrey Ivanov
added an
nstask but then found there was no basedn
attribute
Post by Andrey Ivanov
we could
Post by Andrey Ivanov
add. We
then created an extensibleobject instead
but still
Post by Andrey Ivanov
not basedn
Post by Andrey Ivanov
attribute.
Finally, we resorted to ldapmodify (we
hesitated
Post by Andrey Ivanov
just because
Post by Andrey Ivanov
we are not
very familiar with the command line
tools). First,
Post by Andrey Ivanov
Post by Andrey Ivanov
dn: cn=fixMemberOf,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: add
objectclass: top
objectclass: extensibleObject
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
The Internal Organization has several
organizations
Post by Andrey Ivanov
under it
Post by Andrey Ivanov
(for
various clients) and then user
organizational units
Post by Andrey Ivanov
under
Post by Andrey Ivanov
those
organizations. Although it generated no
errors, it
Post by Andrey Ivanov
did not
Post by Andrey Ivanov
seem to
work. Perhaps I just don't know how to
test it.
Post by Andrey Ivanov
However, the
Post by Andrey Ivanov
following
/usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D
Post by Andrey Ivanov
Post by Andrey Ivanov
"cn=Directory
Manager" -w - -h ldap uid=myid memberOf
Doing /usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D
Post by Andrey Ivanov
Post by Andrey Ivanov
"cn=Directory
Manager" -w - -h ldap uid=myid
showed me plenty of attributes but nothing
for
Post by Andrey Ivanov
memberOf
Post by Andrey Ivanov
I also tried creating the task with a
basedn of
ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz
Post by Andrey Ivanov
in case it
Post by Andrey Ivanov
did not
change objects lower in the tree. Still
no success.
Post by Andrey Ivanov
Post by Andrey Ivanov
dn: cn=fixMemberOf,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: add
objectclass: top
objectclass: nsDirectoryServerTask
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
adding new entry
cn=fixMemberOf,cn=memberof
Post by Andrey Ivanov
Post by Andrey Ivanov
task,cn=tasks,cn=config
ldap_add: Object class violation
ldap_add: additional info: unknown object
class
Post by Andrey Ivanov
Post by Andrey Ivanov
"nsDirectoryServerTask"
And received the expected unknown object
class
Post by Andrey Ivanov
error.
Post by Andrey Ivanov
What are we doing wrong? Are these
documentation
Post by Andrey Ivanov
bugs? Are
Post by Andrey Ivanov
there
application bugs or do we simply not know
what we
Post by Andrey Ivanov
are doing
Post by Andrey Ivanov
with tasks
and memberOf? How do we get the memberOf
information
Post by Andrey Ivanov
into our
Post by Andrey Ivanov
existing
user objects? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to
secular society
Post by Andrey Ivanov
Post by Andrey Ivanov
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
Post by Andrey Ivanov
Post by Andrey Ivanov
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
Post by Andrey Ivanov
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
Post by Andrey Ivanov
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
Andrey Ivanov
2009-05-22 20:59:13 UTC
Permalink
2009/5/22 John A. Sullivan III <jsullivan at opensourcedevel.com>
Post by John A. Sullivan III
Ah, I did not do that as I thought the filter would make the change to
users with objectClass inetOrgPerson.
No. The filter just searches what you have in your directory
Post by John A. Sullivan III
I am virtually certain the users
do not explicitly have inetUser as an object class. Are they supposed
to?
Yes. The set of the attributes that your entry can hold is defined by the
classes listed in "objectClass". And the attribute memberOf is part of the
"inetUser" objectClass.
Post by John A. Sullivan III
Is this done by default or is the need to add this object class to
all users in order to use memberOf missing from the documentation (or
overlooked by me!).
No. It is not done by default, you need to add the "objectClass: inetUser"
(or any other objectClass containing the memberOf attribute) to each user
entry. You can make a small perl script that does for all your users
something like

-------------
dn: uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz changetype:
add
objectclass: inetUser
-------------

You can test it with the GUI of the console for one or two user entries just
to be sure the attribute memberOf works as you wish...
Post by John A. Sullivan III
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: account
objectClass: posixgroup
objectClass: shadowaccount
The origin of your problem is the absence of "objectClass: inetUser"
necessary to add memberOf attribute to the entry...
Post by John A. Sullivan III
Thanks - John
Post by Andrey Ivanov
Can you show me the result of
/usr/lib64/mozldap/ldapsearch -b
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory
Manager" -w - -h ldap uid=jasiii objectClass
inetUser" is not present in the result of this search you should, as i
said in the previous message, add this objectClass to all the entries
dn: uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
changetype: add
objectclass: inetUser
Hope it helps .
2009/5/22 John A. Sullivan III <jsullivan at opensourcedevel.com>
I'm starting to feel really stupid here - still not working.
I thought the filter must be the problem for sure. I assumed from the
documentation that no filter meant the task would add the attribute for
everything that could take a memberOf attribute. I did not realize it
defaulted to inetuser. So I recreated the task with a filter of
(objectClass=inetOrgPerson) but it still did not seem to work.
I thought perhaps I was doing ldapmodify wrong (enter the parameters,
double enter, then CTL D) so I edited the fixup-memberof.pl script
according to Rich's instructions. It ran without error (by the way, it
reflects the admin password when using -w - !!!). But still
no success.
Perhaps I am checking incorrectly. I did not expect to see memberOf
listed as an attribute in the advanced console screen for the
user since
it is a managed attribute. But I did try to view it with an
It should be visible as an attribute you can add (provided your entry
has "objectClass: inetUser")
/usr/lib64/mozldap/ldapsearch -b
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory
Manager" -w - -h ldap uid=jasiii memberOf
Is this how I would check for success?
There is nothing suspicious in the error log. I do have the audit log
enabled. I see the creation and automatic deletion of the
task but I do
not see any changes to objects to add and populate the memberOf
attribute. I'll paste in some excerpts below.
What next? Thanks - John
time: 20090520221132
dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
creatorsName: cn=xxxx
modifiersName: cn=xxx
createTimestamp: 20090521021132Z
modifyTimestamp: 20090521021132Z
time: 20090520221333
dn: cn=fixmemberof,cn=memberof task,cn=tasks,cn=config
changetype: delete
modifiersname: cn=server,cn=plugins,cn=config
time: 20090520222242
dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
cn: fixMemberOf
basedn: ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
creatorsName: cn=xxxx
modifiersName: cn=xxxx
createTimestamp: 20090521022242Z
modifyTimestamp: 20090521022242Z
time: 20090520222442
dn: cn=fixmemberof,cn=memberof task,cn=tasks,cn=config
changetype: delete
modifiersname: cn=server,cn=plugins,cn=config
.
.
.
time: 20090521183523
dn: cn=memberOf_fixup_2009_5_21_18_35_23, cn=memberOf task, cn=tasks,
cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
cn: memberOf_fixup_2009_5_21_18_35_23
basedn: o=Internal,dc=ssiservices,dc=biz
filter: (objectClass=inetOrgPerson)
creatorsName: cn=xxxx
modifiersName: cn=xxxx
createTimestamp: 20090521223523Z
modifyTimestamp: 20090521223523Z
time: 20090521183724
dn: cn=memberof_fixup_2009_5_21_18_35_23,cn=memberof
task,cn=tasks,cn=config
changetype: delete
modifiersname: cn=server,cn=plugins,cn=config
time: 20090521185804
cn=general,ou=1.1,ou=console,ou=cn=xxxxx,ou=userpreferences,ou=
ssiservices.biz,o=netscaperoot
Post by Andrey Ivanov
changetype: modify
replace: nsPreference
IwojVGh1IE1heSAyMSAxODo1ODowNSBFRFQgMjAwOQpXaWR0aD0xMjgwClNob3
dTdGF0dXNCYXI9dHJ1ZQpTaG93QmFubmVyQmFyPXRydWUKWT0wCkhlaWdodD03NjkKWD0wCg==
Post by Andrey Ivanov
-
replace: modifiersname
modifiersname: cn=xxxxx
-
replace: modifytimestamp
modifytimestamp: 20090521225804Z
-
Post by Andrey Ivanov
2009/5/21 John A. Sullivan III
<jsullivan at opensourcedevel.com>
Post by Andrey Ivanov
Thank you, Andrey. I did do an updatedb and then
locate - no
Post by Andrey Ivanov
fixup-member0f.pl - just
template.fixup-memberOf.pl :-(
Post by Andrey Ivanov
It is very strange. Normally during the server installation
the
Post by Andrey Ivanov
template should be converted to the "normal" perl script.
Have you verified the configuration of the memberOf plugin,
especially
Post by Andrey Ivanov
the arguments/attributes "memberofgroupattr" and
"memberofattr" ?
Post by Andrey Ivanov
Unless I'm missing something, you're ldapmodify
looks just
Post by Andrey Ivanov
like mine
except for the cn (I believe the documentation says
it can be
Post by Andrey Ivanov
called
anything) and I did not use a filter (again, I
believe the
Post by Andrey Ivanov
documentation
says it is optional and our dit is still rather
small).
Post by Andrey Ivanov
If you do not put the filter into the ldif then the default
filter is
Post by Andrey Ivanov
used : "(objectClass=inetuser)". Do all your user entries
include this
Post by Andrey Ivanov
objectClass (inetuser)? If not, you should add this
objectClass to all
Post by Andrey Ivanov
the entries where you want the memberOf attribute to appear.
I did create a new group and add myself to it as you
suggested
Post by Andrey Ivanov
(thank
you). Surprisingly, it did not appear to work. I
did not see
Post by Andrey Ivanov
a
memberOf attribute populated for me. I then thought
I would
Post by Andrey Ivanov
see if I
need to manually add that attribute to each user (I
hope not!)
Post by Andrey Ivanov
and I did
not see memberOf as an attribute I could add to my
user
Post by Andrey Ivanov
object.
No. You should not add it manually, the memberOf attribute
is
Post by Andrey Ivanov
maintained automatically based on the group membership.
Do you see any message in error log? There should be
something about
Post by Andrey Ivanov
the impossibility to write the memberof attribute i think.
If you cannot add this attribute manually to your entry it
means that
Post by Andrey Ivanov
your entry does not containe "objectClass: inetuser". Add
this
Post by Andrey Ivanov
objectClass to all the entries that should be "managed" by
the plug-in
Post by Andrey Ivanov
to allow the attribute memberOf to be written to that
entries.
Post by Andrey Ivanov
I have verified that the plugin is defined in
dse.ldif and it
Post by Andrey Ivanov
is
enabled. I also see memberOf defined in
20subscriber.ldif and
Post by Andrey Ivanov
did not
see anything in the documentation about needing to
extend the
Post by Andrey Ivanov
schema.
No, you don't need to extend the schema but you need to make
sure that
Post by Andrey Ivanov
objectClasses: ( 2.16.840.1.113730.3.2.130 NAME 'inetUser'
DESC
Post by Andrey Ivanov
'Auxiliary class which must be present in an entry for
delivery of
Post by Andrey Ivanov
subscriber services' SUP top AUXILIARY MAY ( uid $
inetUserStatus $
Post by Andrey Ivanov
inetUserHTTPURL $ userPassword $ memberOf ) X-ORIGIN
'Netscape
Post by Andrey Ivanov
subscriber interoperability' )
So, at this point, I am still at a loss for what I
did wrong.
Post by Andrey Ivanov
What do I
check next? Thanks - John
Try to add the "objectClass: inetuser" to the entries
concerned and
Post by Andrey Ivanov
take a closer look to the "errors" log file.
@+
On Thu, 2009-05-21 at 12:59 +0200, Andrey Ivanov
Post by Andrey Ivanov
Hi,
there are two things to be verified and/or taken
into
Post by Andrey Ivanov
Post by Andrey Ivanov
* the pair of the attributes that is maintained
(the
Post by Andrey Ivanov
arguments
Post by Andrey Ivanov
"memberofgroupattr" and "memberofattr" of the
plug-in)
Post by Andrey Ivanov
Post by Andrey Ivanov
* presence of these two attributes in the classes
of your
Post by Andrey Ivanov
users and
Post by Andrey Ivanov
groups
To find fixup-memberof.pl try "locate
fixup-memberof.pl".
Post by Andrey Ivanov
Post by Andrey Ivanov
To launch it manually you need to add something
like that
Post by Andrey Ivanov
to the
Post by Andrey Ivanov
dn: cn=memberOf_fixup_2009_5_21_12_39_21,
cn=memberOf task,
Post by Andrey Ivanov
cn=tasks,
Post by Andrey Ivanov
cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
cn: memberOf_fixup_2009_5_21_12_39_21
basedn: dc=example,dc=com
filter: (objectClass=inetOrgPerson)
As for your account, you may remove/add yourself
from a
Post by Andrey Ivanov
group to see
Post by Andrey Ivanov
if it changes the memberof attribute. Verify the
objectClass
Post by Andrey Ivanov
of your
Post by Andrey Ivanov
entry and make sure the attribute memberOf is an
optional
Post by Andrey Ivanov
attribute of
Post by Andrey Ivanov
at least one of these objectClasses...
2009/5/21 John A. Sullivan III
<jsullivan at opensourcedevel.com>
Post by Andrey Ivanov
Hello, all. We are in the process of
upgrading from
Post by Andrey Ivanov
8.0 to
Post by Andrey Ivanov
8.1. We've
hit a few glitches along the way but most
has gone
Post by Andrey Ivanov
well.
Post by Andrey Ivanov
However, we
wanted to implement the new memberOf
functionality.
Post by Andrey Ivanov
We
Post by Andrey Ivanov
successfully
added the plugin by editing dse.ldif and
enabled it
Post by Andrey Ivanov
from the
Post by Andrey Ivanov
console.
However, we've been unsuccessful in having
existing
Post by Andrey Ivanov
group
Post by Andrey Ivanov
membership
assigned to the memberOf attribute.
We first tried to run fixup-memberOf.pl
but the
Post by Andrey Ivanov
script does
Post by Andrey Ivanov
not exist.
There is a template.fixup-memberOf.pl but
this does
Post by Andrey Ivanov
not seem
Post by Andrey Ivanov
to have
been built into a final script.
We then thought we would use the new task
feature of
Post by Andrey Ivanov
the
Post by Andrey Ivanov
console. We
went to cn=memberof
task,cn=tasks,cn=config and
Post by Andrey Ivanov
tried to
Post by Andrey Ivanov
create the task
object. There was no
nsDirectoryServerTask
Post by Andrey Ivanov
objectclass. We
Post by Andrey Ivanov
added an
nstask but then found there was no basedn
attribute
Post by Andrey Ivanov
we could
Post by Andrey Ivanov
add. We
then created an extensibleobject instead
but still
Post by Andrey Ivanov
not basedn
Post by Andrey Ivanov
attribute.
Finally, we resorted to ldapmodify (we
hesitated
Post by Andrey Ivanov
just because
Post by Andrey Ivanov
we are not
very familiar with the command line
tools). First,
Post by Andrey Ivanov
Post by Andrey Ivanov
dn: cn=fixMemberOf,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: add
objectclass: top
objectclass: extensibleObject
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
The Internal Organization has several
organizations
Post by Andrey Ivanov
under it
Post by Andrey Ivanov
(for
various clients) and then user
organizational units
Post by Andrey Ivanov
under
Post by Andrey Ivanov
those
organizations. Although it generated no
errors, it
Post by Andrey Ivanov
did not
Post by Andrey Ivanov
seem to
work. Perhaps I just don't know how to
test it.
Post by Andrey Ivanov
However, the
Post by Andrey Ivanov
following
/usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D
Post by Andrey Ivanov
Post by Andrey Ivanov
"cn=Directory
Manager" -w - -h ldap uid=myid memberOf
Doing /usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D
Post by Andrey Ivanov
Post by Andrey Ivanov
"cn=Directory
Manager" -w - -h ldap uid=myid
showed me plenty of attributes but nothing
for
Post by Andrey Ivanov
memberOf
Post by Andrey Ivanov
I also tried creating the task with a
basedn of
ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz
Post by Andrey Ivanov
in case it
Post by Andrey Ivanov
did not
change objects lower in the tree. Still
no success.
Post by Andrey Ivanov
Post by Andrey Ivanov
dn: cn=fixMemberOf,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: add
objectclass: top
objectclass: nsDirectoryServerTask
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
adding new entry
cn=fixMemberOf,cn=memberof
Post by Andrey Ivanov
Post by Andrey Ivanov
task,cn=tasks,cn=config
ldap_add: Object class violation
ldap_add: additional info: unknown object
class
Post by Andrey Ivanov
Post by Andrey Ivanov
"nsDirectoryServerTask"
And received the expected unknown object
class
Post by Andrey Ivanov
error.
Post by Andrey Ivanov
What are we doing wrong? Are these
documentation
Post by Andrey Ivanov
bugs? Are
Post by Andrey Ivanov
there
application bugs or do we simply not know
what we
Post by Andrey Ivanov
are doing
Post by Andrey Ivanov
with tasks
and memberOf? How do we get the memberOf
information
Post by Andrey Ivanov
into our
Post by Andrey Ivanov
existing
user objects? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to
secular society
Post by Andrey Ivanov
Post by Andrey Ivanov
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
Post by Andrey Ivanov
Post by Andrey Ivanov
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
Post by Andrey Ivanov
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
Post by Andrey Ivanov
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20090522/3dfb723b/attachment.html
John A. Sullivan III
2009-05-25 20:02:29 UTC
Permalink
Hmm . . . this made perfect sense and I thought it would be the end of
my problems for sure. However, I added inetUser, ran fixup_memberof.pl
and still see no memberOf populated attribute even if I ask for it
explicitly:

[root at ldap01 ~]# /usr/lib64/mozldap/ldapsearch -b "ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory Manager" -w - -h ldap01 uid=jasiii
Enter bind password:
version: 1
dn: uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: account
objectClass: posixgroup
objectClass: shadowaccount
objectClass: inetuser
physicalDeliveryOfficeName: Kennebunk
telephoneNumber: +1 (207) xxx-xxxx
mail: jsullivan at example.com
sn: Sullivan III
givenName: John A.
loginShell: /bin/bash
homeDirectory: /home/jasiii
gidNumber: 100001
uidNumber: 100001
cn: jasiii
uid: jasiii
userPassword: {SSHA}p5K8zhxQYqkjCXmu617H2DtnDKDgnom3qTgQAg==
shadowLastChange: 14366
l: Kennebunk
postalCode: 04043-XXXX
postOfficeBox: PO Box XXX
st: ME
[root at ldap01 ~]# /usr/lib64/mozldap/ldapsearch -b "ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory Manager" -w - -h ldap01 uid=jasiii memberOf
Enter bind password:
version: 1
dn: uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz

I then explicitly added the memberOf attribute to a user, created a
bogus group and added the user to the group. Still no memberOf. What
am I doing wrong? Thanks - John
Post by Andrey Ivanov
2009/5/22 John A. Sullivan III <jsullivan at opensourcedevel.com>
Ah, I did not do that as I thought the filter would make the change to
users with objectClass inetOrgPerson.
No. The filter just searches what you have in your directory
I am virtually certain the users
do not explicitly have inetUser as an object class. Are they supposed
to?
Yes. The set of the attributes that your entry can hold is defined by
the classes listed in "objectClass". And the attribute memberOf is
part of the "inetUser" objectClass.
Is this done by default or is the need to add this object class to
all users in order to use memberOf missing from the
documentation (or
overlooked by me!).
inetUser" (or any other objectClass containing the memberOf attribute)
to each user entry. You can make a small perl script that does for all
your users something like
-------------
dn: uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
changetype: add
objectclass: inetUser
-------------
You can test it with the GUI of the console for one or two user
entries just to be sure the attribute memberOf works as you wish...
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: account
objectClass: posixgroup
objectClass: shadowaccount
The origin of your problem is the absence of "objectClass: inetUser"
necessary to add memberOf attribute to the entry...
Thanks - John
Post by Andrey Ivanov
Can you show me the result of
/usr/lib64/mozldap/ldapsearch -b
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D
"cn=Directory
Post by Andrey Ivanov
Manager" -w - -h ldap uid=jasiii objectClass
It will list all the objectClasses of your entry. If
inetUser" is not present in the result of this search you
should, as i
Post by Andrey Ivanov
said in the previous message, add this objectClass to all
the entries
uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
Post by Andrey Ivanov
changetype: add
objectclass: inetUser
Hope it helps .
2009/5/22 John A. Sullivan III
<jsullivan at opensourcedevel.com>
Post by Andrey Ivanov
I'm starting to feel really stupid here - still not
working.
Post by Andrey Ivanov
I thought the filter must be the problem for sure.
I assumed
Post by Andrey Ivanov
from the
documentation that no filter meant the task would
add the
Post by Andrey Ivanov
attribute for
everything that could take a memberOf attribute. I
did not
Post by Andrey Ivanov
realize it
defaulted to inetuser. So I recreated the task with
a filter
Post by Andrey Ivanov
of
(objectClass=inetOrgPerson) but it still did not
seem to work.
Post by Andrey Ivanov
I thought perhaps I was doing ldapmodify wrong
(enter the
Post by Andrey Ivanov
parameters,
double enter, then CTL D) so I edited the
fixup-memberof.pl
Post by Andrey Ivanov
script
according to Rich's instructions. It ran without
error (by
Post by Andrey Ivanov
the way, it
reflects the admin password when using -w - !!!).
But still
Post by Andrey Ivanov
no success.
Perhaps I am checking incorrectly. I did not expect
to see
Post by Andrey Ivanov
memberOf
listed as an attribute in the advanced console
screen for the
Post by Andrey Ivanov
user since
it is a managed attribute. But I did try to view it
with an
Post by Andrey Ivanov
It should be visible as an attribute you can add (provided
your entry
Post by Andrey Ivanov
has "objectClass: inetUser")
/usr/lib64/mozldap/ldapsearch -b
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz"
-D
Post by Andrey Ivanov
"cn=Directory
Manager" -w - -h ldap uid=jasiii memberOf
Is this how I would check for success?
There is nothing suspicious in the error log. I do
have the
Post by Andrey Ivanov
audit log
enabled. I see the creation and automatic deletion
of the
Post by Andrey Ivanov
task but I do
not see any changes to objects to add and populate
the
Post by Andrey Ivanov
memberOf
attribute. I'll paste in some excerpts below.
What next? Thanks - John
time: 20090520221132
dn: cn=fixMemberOf,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: add
objectClass: top
objectClass: extensibleObject
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
creatorsName: cn=xxxx
modifiersName: cn=xxx
createTimestamp: 20090521021132Z
modifyTimestamp: 20090521021132Z
time: 20090520221333
dn: cn=fixmemberof,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: delete
modifiersname: cn=server,cn=plugins,cn=config
time: 20090520222242
dn: cn=fixMemberOf,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: add
objectClass: top
objectClass: extensibleObject
cn: fixMemberOf
ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
Post by Andrey Ivanov
creatorsName: cn=xxxx
modifiersName: cn=xxxx
createTimestamp: 20090521022242Z
modifyTimestamp: 20090521022242Z
time: 20090520222442
dn: cn=fixmemberof,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: delete
modifiersname: cn=server,cn=plugins,cn=config
.
.
.
time: 20090521183523
dn: cn=memberOf_fixup_2009_5_21_18_35_23,
cn=memberOf task,
Post by Andrey Ivanov
cn=tasks,
cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
cn: memberOf_fixup_2009_5_21_18_35_23
basedn: o=Internal,dc=ssiservices,dc=biz
filter: (objectClass=inetOrgPerson)
creatorsName: cn=xxxx
modifiersName: cn=xxxx
createTimestamp: 20090521223523Z
modifyTimestamp: 20090521223523Z
time: 20090521183724
dn: cn=memberof_fixup_2009_5_21_18_35_23,cn=memberof
task,cn=tasks,cn=config
changetype: delete
modifiersname: cn=server,cn=plugins,cn=config
time: 20090521185804
cn=general,ou=1.1,ou=console,ou=cn=xxxxx,ou=userpreferences,ou=ssiservices.biz,o=netscaperoot
Post by Andrey Ivanov
changetype: modify
replace: nsPreference
IwojVGh1IE1heSAyMSAxODo1ODowNSBFRFQgMjAwOQpXaWR0aD0xMjgwClNob3
dTdGF0dXNCYXI9dHJ1ZQpTaG93QmFubmVyQmFyPXRydWUKWT0wCkhlaWdodD03NjkKWD0wCg==
Post by Andrey Ivanov
-
replace: modifiersname
modifiersname: cn=xxxxx
-
replace: modifytimestamp
modifytimestamp: 20090521225804Z
-
On Thu, 2009-05-21 at 15:59 +0200, Andrey Ivanov
Post by Andrey Ivanov
2009/5/21 John A. Sullivan III
<jsullivan at opensourcedevel.com>
Post by Andrey Ivanov
Thank you, Andrey. I did do an updatedb
and then
Post by Andrey Ivanov
locate - no
Post by Andrey Ivanov
fixup-member0f.pl - just
template.fixup-memberOf.pl :-(
Post by Andrey Ivanov
It is very strange. Normally during the server
installation
Post by Andrey Ivanov
the
Post by Andrey Ivanov
template should be converted to the "normal" perl
script.
Post by Andrey Ivanov
Post by Andrey Ivanov
Have you verified the configuration of the
memberOf plugin,
Post by Andrey Ivanov
especially
Post by Andrey Ivanov
the arguments/attributes "memberofgroupattr" and
"memberofattr" ?
Post by Andrey Ivanov
Unless I'm missing something, you're
ldapmodify
Post by Andrey Ivanov
looks just
Post by Andrey Ivanov
like mine
except for the cn (I believe the
documentation says
Post by Andrey Ivanov
it can be
Post by Andrey Ivanov
called
anything) and I did not use a filter
(again, I
Post by Andrey Ivanov
believe the
Post by Andrey Ivanov
documentation
says it is optional and our dit is still
rather
Post by Andrey Ivanov
small).
Post by Andrey Ivanov
If you do not put the filter into the ldif then
the default
Post by Andrey Ivanov
filter is
Post by Andrey Ivanov
used : "(objectClass=inetuser)". Do all your user
entries
Post by Andrey Ivanov
include this
Post by Andrey Ivanov
objectClass (inetuser)? If not, you should add
this
Post by Andrey Ivanov
objectClass to all
Post by Andrey Ivanov
the entries where you want the memberOf attribute
to appear.
Post by Andrey Ivanov
Post by Andrey Ivanov
I did create a new group and add myself to
it as you
Post by Andrey Ivanov
suggested
Post by Andrey Ivanov
(thank
you). Surprisingly, it did not appear to
work. I
Post by Andrey Ivanov
did not see
Post by Andrey Ivanov
a
memberOf attribute populated for me. I
then thought
Post by Andrey Ivanov
I would
Post by Andrey Ivanov
see if I
need to manually add that attribute to
each user (I
Post by Andrey Ivanov
hope not!)
Post by Andrey Ivanov
and I did
not see memberOf as an attribute I could
add to my
Post by Andrey Ivanov
user
Post by Andrey Ivanov
object.
No. You should not add it manually, the memberOf
attribute
Post by Andrey Ivanov
is
Post by Andrey Ivanov
maintained automatically based on the group
membership.
Post by Andrey Ivanov
Post by Andrey Ivanov
Do you see any message in error log? There should
be
Post by Andrey Ivanov
something about
Post by Andrey Ivanov
the impossibility to write the memberof attribute
i think.
Post by Andrey Ivanov
Post by Andrey Ivanov
If you cannot add this attribute manually to your
entry it
Post by Andrey Ivanov
means that
inetuser". Add
Post by Andrey Ivanov
this
Post by Andrey Ivanov
objectClass to all the entries that should be
"managed" by
Post by Andrey Ivanov
the plug-in
Post by Andrey Ivanov
to allow the attribute memberOf to be written to
that
Post by Andrey Ivanov
entries.
Post by Andrey Ivanov
I have verified that the plugin is defined
in
Post by Andrey Ivanov
dse.ldif and it
Post by Andrey Ivanov
is
enabled. I also see memberOf defined in
20subscriber.ldif and
Post by Andrey Ivanov
did not
see anything in the documentation about
needing to
Post by Andrey Ivanov
extend the
Post by Andrey Ivanov
schema.
No, you don't need to extend the schema but you
need to make
Post by Andrey Ivanov
sure that
Post by Andrey Ivanov
objectClasses: ( 2.16.840.1.113730.3.2.130 NAME
'inetUser'
Post by Andrey Ivanov
DESC
Post by Andrey Ivanov
'Auxiliary class which must be present in an entry
for
Post by Andrey Ivanov
delivery of
Post by Andrey Ivanov
subscriber services' SUP top AUXILIARY MAY ( uid $
inetUserStatus $
Post by Andrey Ivanov
inetUserHTTPURL $ userPassword $ memberOf )
X-ORIGIN
Post by Andrey Ivanov
'Netscape
Post by Andrey Ivanov
subscriber interoperability' )
So, at this point, I am still at a loss
for what I
Post by Andrey Ivanov
did wrong.
Post by Andrey Ivanov
What do I
check next? Thanks - John
Try to add the "objectClass: inetuser" to the
entries
Post by Andrey Ivanov
concerned and
Post by Andrey Ivanov
take a closer look to the "errors" log file.
@+
On Thu, 2009-05-21 at 12:59 +0200, Andrey
Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Hi,
there are two things to be verified
and/or taken
Post by Andrey Ivanov
into
Post by Andrey Ivanov
Post by Andrey Ivanov
* the pair of the attributes that is
maintained
Post by Andrey Ivanov
(the
Post by Andrey Ivanov
arguments
Post by Andrey Ivanov
"memberofgroupattr" and "memberofattr"
of the
Post by Andrey Ivanov
plug-in)
Post by Andrey Ivanov
Post by Andrey Ivanov
* presence of these two attributes in
the classes
Post by Andrey Ivanov
of your
Post by Andrey Ivanov
users and
Post by Andrey Ivanov
groups
To find fixup-memberof.pl try "locate
fixup-memberof.pl".
Post by Andrey Ivanov
Post by Andrey Ivanov
To launch it manually you need to add
something
Post by Andrey Ivanov
like that
Post by Andrey Ivanov
to the
cn=memberOf_fixup_2009_5_21_12_39_21,
Post by Andrey Ivanov
cn=memberOf task,
Post by Andrey Ivanov
cn=tasks,
Post by Andrey Ivanov
cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
cn: memberOf_fixup_2009_5_21_12_39_21
basedn: dc=example,dc=com
filter: (objectClass=inetOrgPerson)
As for your account, you may remove/add
yourself
Post by Andrey Ivanov
from a
Post by Andrey Ivanov
group to see
Post by Andrey Ivanov
if it changes the memberof attribute.
Verify the
Post by Andrey Ivanov
objectClass
Post by Andrey Ivanov
of your
Post by Andrey Ivanov
entry and make sure the attribute
memberOf is an
Post by Andrey Ivanov
optional
Post by Andrey Ivanov
attribute of
Post by Andrey Ivanov
at least one of these objectClasses...
2009/5/21 John A. Sullivan III
<jsullivan at opensourcedevel.com>
Post by Andrey Ivanov
Hello, all. We are in the
process of
Post by Andrey Ivanov
upgrading from
Post by Andrey Ivanov
8.0 to
Post by Andrey Ivanov
8.1. We've
hit a few glitches along the way
but most
Post by Andrey Ivanov
has gone
Post by Andrey Ivanov
well.
Post by Andrey Ivanov
However, we
wanted to implement the new
memberOf
Post by Andrey Ivanov
functionality.
Post by Andrey Ivanov
We
Post by Andrey Ivanov
successfully
added the plugin by editing
dse.ldif and
Post by Andrey Ivanov
enabled it
Post by Andrey Ivanov
from the
Post by Andrey Ivanov
console.
However, we've been unsuccessful
in having
Post by Andrey Ivanov
existing
Post by Andrey Ivanov
group
Post by Andrey Ivanov
membership
assigned to the memberOf
attribute.
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
We first tried to run
fixup-memberOf.pl
Post by Andrey Ivanov
but the
Post by Andrey Ivanov
script does
Post by Andrey Ivanov
not exist.
There is a
template.fixup-memberOf.pl but
Post by Andrey Ivanov
this does
Post by Andrey Ivanov
not seem
Post by Andrey Ivanov
to have
been built into a final script.
We then thought we would use the
new task
Post by Andrey Ivanov
feature of
Post by Andrey Ivanov
the
Post by Andrey Ivanov
console. We
went to cn=memberof
task,cn=tasks,cn=config and
Post by Andrey Ivanov
tried to
Post by Andrey Ivanov
create the task
object. There was no
nsDirectoryServerTask
Post by Andrey Ivanov
objectclass. We
Post by Andrey Ivanov
added an
nstask but then found there was
no basedn
Post by Andrey Ivanov
attribute
Post by Andrey Ivanov
we could
Post by Andrey Ivanov
add. We
then created an extensibleobject
instead
Post by Andrey Ivanov
but still
Post by Andrey Ivanov
not basedn
Post by Andrey Ivanov
attribute.
Finally, we resorted to
ldapmodify (we
Post by Andrey Ivanov
hesitated
Post by Andrey Ivanov
just because
Post by Andrey Ivanov
we are not
very familiar with the command
line
Post by Andrey Ivanov
tools). First,
Post by Andrey Ivanov
Post by Andrey Ivanov
dn: cn=fixMemberOf,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: add
objectclass: top
objectclass: extensibleObject
cn: fixMemberOf
o=Internal,dc=ssiservices,dc=biz
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
The Internal Organization has
several
Post by Andrey Ivanov
organizations
Post by Andrey Ivanov
under it
Post by Andrey Ivanov
(for
various clients) and then user
organizational units
Post by Andrey Ivanov
under
Post by Andrey Ivanov
those
organizations. Although it
generated no
Post by Andrey Ivanov
errors, it
Post by Andrey Ivanov
did not
Post by Andrey Ivanov
seem to
work. Perhaps I just don't know
how to
Post by Andrey Ivanov
test it.
Post by Andrey Ivanov
However, the
Post by Andrey Ivanov
following
/usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
"cn=Directory
Manager" -w - -h ldap uid=myid
memberOf
Doing /usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
"cn=Directory
Manager" -w - -h ldap uid=myid
showed me plenty of attributes
but nothing
Post by Andrey Ivanov
for
Post by Andrey Ivanov
memberOf
Post by Andrey Ivanov
I also tried creating the task
with a
Post by Andrey Ivanov
basedn of
ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz
Post by Andrey Ivanov
in case it
Post by Andrey Ivanov
did not
change objects lower in the
tree. Still
Post by Andrey Ivanov
no success.
Post by Andrey Ivanov
Post by Andrey Ivanov
dn: cn=fixMemberOf,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: add
objectclass: top
nsDirectoryServerTask
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
cn: fixMemberOf
o=Internal,dc=ssiservices,dc=biz
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
adding new entry
cn=fixMemberOf,cn=memberof
Post by Andrey Ivanov
Post by Andrey Ivanov
task,cn=tasks,cn=config
ldap_add: Object class violation
unknown object
Post by Andrey Ivanov
class
Post by Andrey Ivanov
Post by Andrey Ivanov
"nsDirectoryServerTask"
And received the expected
unknown object
Post by Andrey Ivanov
class
Post by Andrey Ivanov
error.
Post by Andrey Ivanov
What are we doing wrong? Are
these
Post by Andrey Ivanov
documentation
Post by Andrey Ivanov
bugs? Are
Post by Andrey Ivanov
there
application bugs or do we simply
not know
Post by Andrey Ivanov
what we
Post by Andrey Ivanov
are doing
Post by Andrey Ivanov
with tasks
and memberOf? How do we get the
memberOf
Post by Andrey Ivanov
information
Post by Andrey Ivanov
into our
Post by Andrey Ivanov
existing
user objects? Thanks - John
--
John A. Sullivan III
Open Source Development
Corporation
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible
to
Post by Andrey Ivanov
secular society
Post by Andrey Ivanov
Post by Andrey Ivanov
--
Fedora-directory-users mailing
list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
Post by Andrey Ivanov
Post by Andrey Ivanov
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to
secular society
Post by Andrey Ivanov
Post by Andrey Ivanov
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
Post by Andrey Ivanov
Post by Andrey Ivanov
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
Post by Andrey Ivanov
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
Post by Andrey Ivanov
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
Andrey Ivanov
2009-05-26 07:38:03 UTC
Permalink
If it still doesn't work, it's a matter of the plug-in configuration and
presence. Verify your dse.ldif. You shoud have something like

dn: cn=MemberOf Plugin,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: MemberOf Plugin
nsslapd-pluginPath: libmemberof-plugin
nsslapd-pluginInitfunc: memberof_postop_init
nsslapd-pluginType: postoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
memberofgroupattr: uniqueMember
memberofattr: memberOf
nsslapd-pluginId: memberof
nsslapd-pluginVersion: 1.2.0
nsslapd-pluginVendor: Fedora Project
nsslapd-pluginDescription: memberof plugin


The importnant parameters are :
nsslapd-pluginEnabled: on
memberofgroupattr: uniqueMember
memberofattr: memberOf

Other than that you may have the plug-in binaries missing...

2009/5/25 John A. Sullivan III <jsullivan at opensourcedevel.com>
Post by John A. Sullivan III
Hmm . . . this made perfect sense and I thought it would be the end of
my problems for sure. However, I added inetUser, ran fixup_memberof.pl
and still see no memberOf populated attribute even if I ask for it
[root at ldap01 ~]# /usr/lib64/mozldap/ldapsearch -b
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory Manager"
-w - -h ldap01 uid=jasiii
version: 1
dn: uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: account
objectClass: posixgroup
objectClass: shadowaccount
objectClass: inetuser
physicalDeliveryOfficeName: Kennebunk
telephoneNumber: +1 (207) xxx-xxxx
mail: jsullivan at example.com
sn: Sullivan III
givenName: John A.
loginShell: /bin/bash
homeDirectory: /home/jasiii
gidNumber: 100001
uidNumber: 100001
cn: jasiii
uid: jasiii
userPassword: {SSHA}p5K8zhxQYqkjCXmu617H2DtnDKDgnom3qTgQAg==
shadowLastChange: 14366
l: Kennebunk
postalCode: 04043-XXXX
postOfficeBox: PO Box XXX
st: ME
[root at ldap01 ~]# /usr/lib64/mozldap/ldapsearch -b
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory Manager"
-w - -h ldap01 uid=jasiii memberOf
version: 1
dn: uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
I then explicitly added the memberOf attribute to a user, created a
bogus group and added the user to the group. Still no memberOf. What
am I doing wrong? Thanks - John
Post by Andrey Ivanov
2009/5/22 John A. Sullivan III <jsullivan at opensourcedevel.com>
Ah, I did not do that as I thought the filter would make the change to
users with objectClass inetOrgPerson.
No. The filter just searches what you have in your directory
I am virtually certain the users
do not explicitly have inetUser as an object class. Are they supposed
to?
Yes. The set of the attributes that your entry can hold is defined by
the classes listed in "objectClass". And the attribute memberOf is
part of the "inetUser" objectClass.
Is this done by default or is the need to add this object class to
all users in order to use memberOf missing from the
documentation (or
overlooked by me!).
inetUser" (or any other objectClass containing the memberOf attribute)
to each user entry. You can make a small perl script that does for all
your users something like
-------------
dn: uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
changetype: add
objectclass: inetUser
-------------
You can test it with the GUI of the console for one or two user
entries just to be sure the attribute memberOf works as you wish...
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: account
objectClass: posixgroup
objectClass: shadowaccount
The origin of your problem is the absence of "objectClass: inetUser"
necessary to add memberOf attribute to the entry...
Thanks - John
Post by Andrey Ivanov
Can you show me the result of
/usr/lib64/mozldap/ldapsearch -b
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D
"cn=Directory
Post by Andrey Ivanov
Manager" -w - -h ldap uid=jasiii objectClass
It will list all the objectClasses of your entry. If
inetUser" is not present in the result of this search you
should, as i
Post by Andrey Ivanov
said in the previous message, add this objectClass to all
the entries
uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
Post by Andrey Ivanov
changetype: add
objectclass: inetUser
Hope it helps .
2009/5/22 John A. Sullivan III
<jsullivan at opensourcedevel.com>
Post by Andrey Ivanov
I'm starting to feel really stupid here - still not
working.
Post by Andrey Ivanov
I thought the filter must be the problem for sure.
I assumed
Post by Andrey Ivanov
from the
documentation that no filter meant the task would
add the
Post by Andrey Ivanov
attribute for
everything that could take a memberOf attribute. I
did not
Post by Andrey Ivanov
realize it
defaulted to inetuser. So I recreated the task with
a filter
Post by Andrey Ivanov
of
(objectClass=inetOrgPerson) but it still did not
seem to work.
Post by Andrey Ivanov
I thought perhaps I was doing ldapmodify wrong
(enter the
Post by Andrey Ivanov
parameters,
double enter, then CTL D) so I edited the
fixup-memberof.pl
Post by Andrey Ivanov
script
according to Rich's instructions. It ran without
error (by
Post by Andrey Ivanov
the way, it
reflects the admin password when using -w - !!!).
But still
Post by Andrey Ivanov
no success.
Perhaps I am checking incorrectly. I did not expect
to see
Post by Andrey Ivanov
memberOf
listed as an attribute in the advanced console
screen for the
Post by Andrey Ivanov
user since
it is a managed attribute. But I did try to view it
with an
Post by Andrey Ivanov
It should be visible as an attribute you can add (provided
your entry
Post by Andrey Ivanov
has "objectClass: inetUser")
/usr/lib64/mozldap/ldapsearch -b
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz"
-D
Post by Andrey Ivanov
"cn=Directory
Manager" -w - -h ldap uid=jasiii memberOf
Is this how I would check for success?
There is nothing suspicious in the error log. I do
have the
Post by Andrey Ivanov
audit log
enabled. I see the creation and automatic deletion
of the
Post by Andrey Ivanov
task but I do
not see any changes to objects to add and populate
the
Post by Andrey Ivanov
memberOf
attribute. I'll paste in some excerpts below.
What next? Thanks - John
time: 20090520221132
dn: cn=fixMemberOf,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: add
objectClass: top
objectClass: extensibleObject
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
creatorsName: cn=xxxx
modifiersName: cn=xxx
createTimestamp: 20090521021132Z
modifyTimestamp: 20090521021132Z
time: 20090520221333
dn: cn=fixmemberof,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: delete
modifiersname: cn=server,cn=plugins,cn=config
time: 20090520222242
dn: cn=fixMemberOf,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: add
objectClass: top
objectClass: extensibleObject
cn: fixMemberOf
ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
Post by Andrey Ivanov
creatorsName: cn=xxxx
modifiersName: cn=xxxx
createTimestamp: 20090521022242Z
modifyTimestamp: 20090521022242Z
time: 20090520222442
dn: cn=fixmemberof,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: delete
modifiersname: cn=server,cn=plugins,cn=config
.
.
.
time: 20090521183523
dn: cn=memberOf_fixup_2009_5_21_18_35_23,
cn=memberOf task,
Post by Andrey Ivanov
cn=tasks,
cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
cn: memberOf_fixup_2009_5_21_18_35_23
basedn: o=Internal,dc=ssiservices,dc=biz
filter: (objectClass=inetOrgPerson)
creatorsName: cn=xxxx
modifiersName: cn=xxxx
createTimestamp: 20090521223523Z
modifyTimestamp: 20090521223523Z
time: 20090521183724
dn: cn=memberof_fixup_2009_5_21_18_35_23,cn=memberof
task,cn=tasks,cn=config
changetype: delete
modifiersname: cn=server,cn=plugins,cn=config
time: 20090521185804
cn=general,ou=1.1,ou=console,ou=cn=xxxxx,ou=userpreferences,ou=
ssiservices.biz,o=netscaperoot
Post by Andrey Ivanov
Post by Andrey Ivanov
changetype: modify
replace: nsPreference
IwojVGh1IE1heSAyMSAxODo1ODowNSBFRFQgMjAwOQpXaWR0aD0xMjgwClNob3
dTdGF0dXNCYXI9dHJ1ZQpTaG93QmFubmVyQmFyPXRydWUKWT0wCkhlaWdodD03NjkKWD0wCg==
Post by Andrey Ivanov
Post by Andrey Ivanov
-
replace: modifiersname
modifiersname: cn=xxxxx
-
replace: modifytimestamp
modifytimestamp: 20090521225804Z
-
On Thu, 2009-05-21 at 15:59 +0200, Andrey Ivanov
Post by Andrey Ivanov
2009/5/21 John A. Sullivan III
<jsullivan at opensourcedevel.com>
Post by Andrey Ivanov
Thank you, Andrey. I did do an updatedb
and then
Post by Andrey Ivanov
locate - no
Post by Andrey Ivanov
fixup-member0f.pl - just
template.fixup-memberOf.pl :-(
Post by Andrey Ivanov
It is very strange. Normally during the server
installation
Post by Andrey Ivanov
the
Post by Andrey Ivanov
template should be converted to the "normal" perl
script.
Post by Andrey Ivanov
Post by Andrey Ivanov
Have you verified the configuration of the
memberOf plugin,
Post by Andrey Ivanov
especially
Post by Andrey Ivanov
the arguments/attributes "memberofgroupattr" and
"memberofattr" ?
Post by Andrey Ivanov
Unless I'm missing something, you're
ldapmodify
Post by Andrey Ivanov
looks just
Post by Andrey Ivanov
like mine
except for the cn (I believe the
documentation says
Post by Andrey Ivanov
it can be
Post by Andrey Ivanov
called
anything) and I did not use a filter
(again, I
Post by Andrey Ivanov
believe the
Post by Andrey Ivanov
documentation
says it is optional and our dit is still
rather
Post by Andrey Ivanov
small).
Post by Andrey Ivanov
If you do not put the filter into the ldif then
the default
Post by Andrey Ivanov
filter is
Post by Andrey Ivanov
used : "(objectClass=inetuser)". Do all your user
entries
Post by Andrey Ivanov
include this
Post by Andrey Ivanov
objectClass (inetuser)? If not, you should add
this
Post by Andrey Ivanov
objectClass to all
Post by Andrey Ivanov
the entries where you want the memberOf attribute
to appear.
Post by Andrey Ivanov
Post by Andrey Ivanov
I did create a new group and add myself to
it as you
Post by Andrey Ivanov
suggested
Post by Andrey Ivanov
(thank
you). Surprisingly, it did not appear to
work. I
Post by Andrey Ivanov
did not see
Post by Andrey Ivanov
a
memberOf attribute populated for me. I
then thought
Post by Andrey Ivanov
I would
Post by Andrey Ivanov
see if I
need to manually add that attribute to
each user (I
Post by Andrey Ivanov
hope not!)
Post by Andrey Ivanov
and I did
not see memberOf as an attribute I could
add to my
Post by Andrey Ivanov
user
Post by Andrey Ivanov
object.
No. You should not add it manually, the memberOf
attribute
Post by Andrey Ivanov
is
Post by Andrey Ivanov
maintained automatically based on the group
membership.
Post by Andrey Ivanov
Post by Andrey Ivanov
Do you see any message in error log? There should
be
Post by Andrey Ivanov
something about
Post by Andrey Ivanov
the impossibility to write the memberof attribute
i think.
Post by Andrey Ivanov
Post by Andrey Ivanov
If you cannot add this attribute manually to your
entry it
Post by Andrey Ivanov
means that
inetuser". Add
Post by Andrey Ivanov
this
Post by Andrey Ivanov
objectClass to all the entries that should be
"managed" by
Post by Andrey Ivanov
the plug-in
Post by Andrey Ivanov
to allow the attribute memberOf to be written to
that
Post by Andrey Ivanov
entries.
Post by Andrey Ivanov
I have verified that the plugin is defined
in
Post by Andrey Ivanov
dse.ldif and it
Post by Andrey Ivanov
is
enabled. I also see memberOf defined in
20subscriber.ldif and
Post by Andrey Ivanov
did not
see anything in the documentation about
needing to
Post by Andrey Ivanov
extend the
Post by Andrey Ivanov
schema.
No, you don't need to extend the schema but you
need to make
Post by Andrey Ivanov
sure that
Post by Andrey Ivanov
objectClasses: ( 2.16.840.1.113730.3.2.130 NAME
'inetUser'
Post by Andrey Ivanov
DESC
Post by Andrey Ivanov
'Auxiliary class which must be present in an entry
for
Post by Andrey Ivanov
delivery of
Post by Andrey Ivanov
subscriber services' SUP top AUXILIARY MAY ( uid $
inetUserStatus $
Post by Andrey Ivanov
inetUserHTTPURL $ userPassword $ memberOf )
X-ORIGIN
Post by Andrey Ivanov
'Netscape
Post by Andrey Ivanov
subscriber interoperability' )
So, at this point, I am still at a loss
for what I
Post by Andrey Ivanov
did wrong.
Post by Andrey Ivanov
What do I
check next? Thanks - John
Try to add the "objectClass: inetuser" to the
entries
Post by Andrey Ivanov
concerned and
Post by Andrey Ivanov
take a closer look to the "errors" log file.
@+
On Thu, 2009-05-21 at 12:59 +0200, Andrey
Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Hi,
there are two things to be verified
and/or taken
Post by Andrey Ivanov
into
Post by Andrey Ivanov
Post by Andrey Ivanov
* the pair of the attributes that is
maintained
Post by Andrey Ivanov
(the
Post by Andrey Ivanov
arguments
Post by Andrey Ivanov
"memberofgroupattr" and "memberofattr"
of the
Post by Andrey Ivanov
plug-in)
Post by Andrey Ivanov
Post by Andrey Ivanov
* presence of these two attributes in
the classes
Post by Andrey Ivanov
of your
Post by Andrey Ivanov
users and
Post by Andrey Ivanov
groups
To find fixup-memberof.pl try "locate
fixup-memberof.pl".
Post by Andrey Ivanov
Post by Andrey Ivanov
To launch it manually you need to add
something
Post by Andrey Ivanov
like that
Post by Andrey Ivanov
to the
cn=memberOf_fixup_2009_5_21_12_39_21,
Post by Andrey Ivanov
cn=memberOf task,
Post by Andrey Ivanov
cn=tasks,
Post by Andrey Ivanov
cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
cn: memberOf_fixup_2009_5_21_12_39_21
basedn: dc=example,dc=com
filter: (objectClass=inetOrgPerson)
As for your account, you may remove/add
yourself
Post by Andrey Ivanov
from a
Post by Andrey Ivanov
group to see
Post by Andrey Ivanov
if it changes the memberof attribute.
Verify the
Post by Andrey Ivanov
objectClass
Post by Andrey Ivanov
of your
Post by Andrey Ivanov
entry and make sure the attribute
memberOf is an
Post by Andrey Ivanov
optional
Post by Andrey Ivanov
attribute of
Post by Andrey Ivanov
at least one of these objectClasses...
2009/5/21 John A. Sullivan III
<jsullivan at opensourcedevel.com>
Post by Andrey Ivanov
Hello, all. We are in the
process of
Post by Andrey Ivanov
upgrading from
Post by Andrey Ivanov
8.0 to
Post by Andrey Ivanov
8.1. We've
hit a few glitches along the way
but most
Post by Andrey Ivanov
has gone
Post by Andrey Ivanov
well.
Post by Andrey Ivanov
However, we
wanted to implement the new
memberOf
Post by Andrey Ivanov
functionality.
Post by Andrey Ivanov
We
Post by Andrey Ivanov
successfully
added the plugin by editing
dse.ldif and
Post by Andrey Ivanov
enabled it
Post by Andrey Ivanov
from the
Post by Andrey Ivanov
console.
However, we've been unsuccessful
in having
Post by Andrey Ivanov
existing
Post by Andrey Ivanov
group
Post by Andrey Ivanov
membership
assigned to the memberOf
attribute.
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
We first tried to run
fixup-memberOf.pl
Post by Andrey Ivanov
but the
Post by Andrey Ivanov
script does
Post by Andrey Ivanov
not exist.
There is a
template.fixup-memberOf.pl but
Post by Andrey Ivanov
this does
Post by Andrey Ivanov
not seem
Post by Andrey Ivanov
to have
been built into a final script.
We then thought we would use the
new task
Post by Andrey Ivanov
feature of
Post by Andrey Ivanov
the
Post by Andrey Ivanov
console. We
went to cn=memberof
task,cn=tasks,cn=config and
Post by Andrey Ivanov
tried to
Post by Andrey Ivanov
create the task
object. There was no
nsDirectoryServerTask
Post by Andrey Ivanov
objectclass. We
Post by Andrey Ivanov
added an
nstask but then found there was
no basedn
Post by Andrey Ivanov
attribute
Post by Andrey Ivanov
we could
Post by Andrey Ivanov
add. We
then created an extensibleobject
instead
Post by Andrey Ivanov
but still
Post by Andrey Ivanov
not basedn
Post by Andrey Ivanov
attribute.
Finally, we resorted to
ldapmodify (we
Post by Andrey Ivanov
hesitated
Post by Andrey Ivanov
just because
Post by Andrey Ivanov
we are not
very familiar with the command
line
Post by Andrey Ivanov
tools). First,
Post by Andrey Ivanov
Post by Andrey Ivanov
dn: cn=fixMemberOf,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: add
objectclass: top
objectclass: extensibleObject
cn: fixMemberOf
o=Internal,dc=ssiservices,dc=biz
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
The Internal Organization has
several
Post by Andrey Ivanov
organizations
Post by Andrey Ivanov
under it
Post by Andrey Ivanov
(for
various clients) and then user
organizational units
Post by Andrey Ivanov
under
Post by Andrey Ivanov
those
organizations. Although it
generated no
Post by Andrey Ivanov
errors, it
Post by Andrey Ivanov
did not
Post by Andrey Ivanov
seem to
work. Perhaps I just don't know
how to
Post by Andrey Ivanov
test it.
Post by Andrey Ivanov
However, the
Post by Andrey Ivanov
following
/usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
"cn=Directory
Manager" -w - -h ldap uid=myid
memberOf
Doing /usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
"cn=Directory
Manager" -w - -h ldap uid=myid
showed me plenty of attributes
but nothing
Post by Andrey Ivanov
for
Post by Andrey Ivanov
memberOf
Post by Andrey Ivanov
I also tried creating the task
with a
Post by Andrey Ivanov
basedn of
ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz
Post by Andrey Ivanov
in case it
Post by Andrey Ivanov
did not
change objects lower in the
tree. Still
Post by Andrey Ivanov
no success.
Post by Andrey Ivanov
Post by Andrey Ivanov
dn: cn=fixMemberOf,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: add
objectclass: top
nsDirectoryServerTask
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
cn: fixMemberOf
o=Internal,dc=ssiservices,dc=biz
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
adding new entry
cn=fixMemberOf,cn=memberof
Post by Andrey Ivanov
Post by Andrey Ivanov
task,cn=tasks,cn=config
ldap_add: Object class violation
unknown object
Post by Andrey Ivanov
class
Post by Andrey Ivanov
Post by Andrey Ivanov
"nsDirectoryServerTask"
And received the expected
unknown object
Post by Andrey Ivanov
class
Post by Andrey Ivanov
error.
Post by Andrey Ivanov
What are we doing wrong? Are
these
Post by Andrey Ivanov
documentation
Post by Andrey Ivanov
bugs? Are
Post by Andrey Ivanov
there
application bugs or do we simply
not know
Post by Andrey Ivanov
what we
Post by Andrey Ivanov
are doing
Post by Andrey Ivanov
with tasks
and memberOf? How do we get the
memberOf
Post by Andrey Ivanov
information
Post by Andrey Ivanov
into our
Post by Andrey Ivanov
existing
user objects? Thanks - John
--
John A. Sullivan III
Open Source Development
Corporation
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible
to
Post by Andrey Ivanov
secular society
Post by Andrey Ivanov
Post by Andrey Ivanov
--
Fedora-directory-users mailing
list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
Post by Andrey Ivanov
Post by Andrey Ivanov
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to
secular society
Post by Andrey Ivanov
Post by Andrey Ivanov
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
Post by Andrey Ivanov
Post by Andrey Ivanov
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
Post by Andrey Ivanov
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
Post by Andrey Ivanov
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20090526/3bb1ec33/attachment.html
John A. Sullivan III
2009-05-26 10:43:02 UTC
Permalink
Very interesting. The shipping dse.ldif which the instructions say to
use as a template to edit the 8.0 dse.ldif has memberofgroupattr: member

dn: cn=MemberOf Plugin,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: MemberOf Plugin
nsslapd-pluginpath: libmemberof-plugin
nsslapd-plugininitfunc: memberof_postop_init
nsslapd-plugintype: postoperation
nsslapd-pluginenabled: off
nsslapd-plugin-depends-on-type: database
memberOfGroupAttr: member
memberOfAttr: memberOf

When I changed it to uniqueMember, it worked!

So it looks like there are several issues/errors/bugs in the
instructions and procedures for upgrading from 8.0 to 8.1

1. The memberOf plugin is enabled by default and needs to be
manually enabled (not really a bug but it is mentioned nowhere
in the docs that I saw)
2. One must manually add the inetuser to each object with which one
wishes to use the plugin. This does not appear to be a default
objectClass for user creation - at least in 8.0
3. One must change the default memberofgroupattr from member to
uniqueMember
4. The fixup-memberof.pl script is not generated from the template.

Thanks very much for your help - John
Post by Andrey Ivanov
If it still doesn't work, it's a matter of the plug-in configuration
and presence. Verify your dse.ldif. You shoud have something like
dn: cn=MemberOf Plugin,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: MemberOf Plugin
nsslapd-pluginPath: libmemberof-plugin
nsslapd-pluginInitfunc: memberof_postop_init
nsslapd-pluginType: postoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
memberofgroupattr: uniqueMember
memberofattr: memberOf
nsslapd-pluginId: memberof
nsslapd-pluginVersion: 1.2.0
nsslapd-pluginVendor: Fedora Project
nsslapd-pluginDescription: memberof plugin
nsslapd-pluginEnabled: on
memberofgroupattr: uniqueMember
memberofattr: memberOf
Other than that you may have the plug-in binaries missing...
2009/5/25 John A. Sullivan III <jsullivan at opensourcedevel.com>
Hmm . . . this made perfect sense and I thought it would be the end of
my problems for sure. However, I added inetUser, ran
fixup_memberof.pl
and still see no memberOf populated attribute even if I ask for it
[root at ldap01 ~]# /usr/lib64/mozldap/ldapsearch -b
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D
"cn=Directory Manager" -w - -h ldap01 uid=jasiii
version: 1
uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: account
objectClass: posixgroup
objectClass: shadowaccount
objectClass: inetuser
physicalDeliveryOfficeName: Kennebunk
telephoneNumber: +1 (207) xxx-xxxx
mail: jsullivan at example.com
sn: Sullivan III
givenName: John A.
loginShell: /bin/bash
homeDirectory: /home/jasiii
gidNumber: 100001
uidNumber: 100001
cn: jasiii
uid: jasiii
userPassword: {SSHA}p5K8zhxQYqkjCXmu617H2DtnDKDgnom3qTgQAg==
shadowLastChange: 14366
l: Kennebunk
postalCode: 04043-XXXX
postOfficeBox: PO Box XXX
st: ME
[root at ldap01 ~]# /usr/lib64/mozldap/ldapsearch -b
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D
"cn=Directory Manager" -w - -h ldap01 uid=jasiii memberOf
version: 1
uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
I then explicitly added the memberOf attribute to a user, created a
bogus group and added the user to the group. Still no
memberOf. What
am I doing wrong? Thanks - John
Post by Andrey Ivanov
2009/5/22 John A. Sullivan III
<jsullivan at opensourcedevel.com>
Post by Andrey Ivanov
Ah, I did not do that as I thought the filter would
make the
Post by Andrey Ivanov
change to
users with objectClass inetOrgPerson.
No. The filter just searches what you have in your directory
I am virtually certain the users
do not explicitly have inetUser as an object class.
Are they
Post by Andrey Ivanov
supposed
to?
Yes. The set of the attributes that your entry can hold is
defined by
Post by Andrey Ivanov
the classes listed in "objectClass". And the attribute
memberOf is
Post by Andrey Ivanov
part of the "inetUser" objectClass.
Is this done by default or is the need to add this
object
Post by Andrey Ivanov
class to
all users in order to use memberOf missing from the
documentation (or
overlooked by me!).
No. It is not done by default, you need to add the
inetUser" (or any other objectClass containing the memberOf
attribute)
Post by Andrey Ivanov
to each user entry. You can make a small perl script that
does for all
Post by Andrey Ivanov
your users something like
-------------
uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
Post by Andrey Ivanov
changetype: add
objectclass: inetUser
-------------
You can test it with the GUI of the console for one or two
user
Post by Andrey Ivanov
entries just to be sure the attribute memberOf works as you
wish...
Post by Andrey Ivanov
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: account
objectClass: posixgroup
objectClass: shadowaccount
inetUser"
Post by Andrey Ivanov
necessary to add memberOf attribute to the entry...
Thanks - John
On Fri, 2009-05-22 at 08:31 +0200, Andrey Ivanov
Post by Andrey Ivanov
Can you show me the result of
/usr/lib64/mozldap/ldapsearch -b
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz"
-D
Post by Andrey Ivanov
"cn=Directory
Post by Andrey Ivanov
Manager" -w - -h ldap uid=jasiii objectClass
It will list all the objectClasses of your entry.
If
Post by Andrey Ivanov
Post by Andrey Ivanov
inetUser" is not present in the result of this
search you
Post by Andrey Ivanov
should, as i
Post by Andrey Ivanov
said in the previous message, add this objectClass
to all
Post by Andrey Ivanov
the entries
Post by Andrey Ivanov
you're going to manage with memberOf plug-in, smth
uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
Post by Andrey Ivanov
Post by Andrey Ivanov
changetype: add
objectclass: inetUser
Hope it helps .
2009/5/22 John A. Sullivan III
<jsullivan at opensourcedevel.com>
Post by Andrey Ivanov
I'm starting to feel really stupid here -
still not
Post by Andrey Ivanov
working.
Post by Andrey Ivanov
I thought the filter must be the problem
for sure.
Post by Andrey Ivanov
I assumed
Post by Andrey Ivanov
from the
documentation that no filter meant the
task would
Post by Andrey Ivanov
add the
Post by Andrey Ivanov
attribute for
everything that could take a memberOf
attribute. I
Post by Andrey Ivanov
did not
Post by Andrey Ivanov
realize it
defaulted to inetuser. So I recreated the
task with
Post by Andrey Ivanov
a filter
Post by Andrey Ivanov
of
(objectClass=inetOrgPerson) but it still
did not
Post by Andrey Ivanov
seem to work.
Post by Andrey Ivanov
I thought perhaps I was doing ldapmodify
wrong
Post by Andrey Ivanov
(enter the
Post by Andrey Ivanov
parameters,
double enter, then CTL D) so I edited the
fixup-memberof.pl
Post by Andrey Ivanov
script
according to Rich's instructions. It ran
without
Post by Andrey Ivanov
error (by
Post by Andrey Ivanov
the way, it
reflects the admin password when using -w
- !!!).
Post by Andrey Ivanov
But still
Post by Andrey Ivanov
no success.
Perhaps I am checking incorrectly. I did
not expect
Post by Andrey Ivanov
to see
Post by Andrey Ivanov
memberOf
listed as an attribute in the advanced
console
Post by Andrey Ivanov
screen for the
Post by Andrey Ivanov
user since
it is a managed attribute. But I did try
to view it
Post by Andrey Ivanov
with an
Post by Andrey Ivanov
It should be visible as an attribute you can add
(provided
Post by Andrey Ivanov
your entry
Post by Andrey Ivanov
has "objectClass: inetUser")
/usr/lib64/mozldap/ldapsearch -b
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz"
Post by Andrey Ivanov
-D
Post by Andrey Ivanov
"cn=Directory
Manager" -w - -h ldap uid=jasiii memberOf
Is this how I would check for success?
There is nothing suspicious in the error
log. I do
Post by Andrey Ivanov
have the
Post by Andrey Ivanov
audit log
enabled. I see the creation and automatic
deletion
Post by Andrey Ivanov
of the
Post by Andrey Ivanov
task but I do
not see any changes to objects to add and
populate
Post by Andrey Ivanov
the
Post by Andrey Ivanov
memberOf
attribute. I'll paste in some excerpts
below.
Post by Andrey Ivanov
Post by Andrey Ivanov
What next? Thanks - John
time: 20090520221132
dn: cn=fixMemberOf,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: add
objectClass: top
objectClass: extensibleObject
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
creatorsName: cn=xxxx
modifiersName: cn=xxx
createTimestamp: 20090521021132Z
modifyTimestamp: 20090521021132Z
time: 20090520221333
dn: cn=fixmemberof,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: delete
cn=server,cn=plugins,cn=config
Post by Andrey Ivanov
Post by Andrey Ivanov
time: 20090520222242
dn: cn=fixMemberOf,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: add
objectClass: top
objectClass: extensibleObject
cn: fixMemberOf
ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
Post by Andrey Ivanov
creatorsName: cn=xxxx
modifiersName: cn=xxxx
createTimestamp: 20090521022242Z
modifyTimestamp: 20090521022242Z
time: 20090520222442
dn: cn=fixmemberof,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: delete
cn=server,cn=plugins,cn=config
Post by Andrey Ivanov
Post by Andrey Ivanov
.
.
.
time: 20090521183523
dn: cn=memberOf_fixup_2009_5_21_18_35_23,
cn=memberOf task,
Post by Andrey Ivanov
cn=tasks,
cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
cn: memberOf_fixup_2009_5_21_18_35_23
basedn: o=Internal,dc=ssiservices,dc=biz
filter: (objectClass=inetOrgPerson)
creatorsName: cn=xxxx
modifiersName: cn=xxxx
createTimestamp: 20090521223523Z
modifyTimestamp: 20090521223523Z
time: 20090521183724
cn=memberof_fixup_2009_5_21_18_35_23,cn=memberof
Post by Andrey Ivanov
Post by Andrey Ivanov
task,cn=tasks,cn=config
changetype: delete
cn=server,cn=plugins,cn=config
Post by Andrey Ivanov
Post by Andrey Ivanov
time: 20090521185804
cn=general,ou=1.1,ou=console,ou=cn=xxxxx,ou=userpreferences,ou=ssiservices.biz,o=netscaperoot
Post by Andrey Ivanov
Post by Andrey Ivanov
changetype: modify
replace: nsPreference
IwojVGh1IE1heSAyMSAxODo1ODowNSBFRFQgMjAwOQpXaWR0aD0xMjgwClNob3
dTdGF0dXNCYXI9dHJ1ZQpTaG93QmFubmVyQmFyPXRydWUKWT0wCkhlaWdodD03NjkKWD0wCg==
Post by Andrey Ivanov
Post by Andrey Ivanov
-
replace: modifiersname
modifiersname: cn=xxxxx
-
replace: modifytimestamp
modifytimestamp: 20090521225804Z
-
On Thu, 2009-05-21 at 15:59 +0200, Andrey
Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
2009/5/21 John A. Sullivan III
<jsullivan at opensourcedevel.com>
Post by Andrey Ivanov
Thank you, Andrey. I did do an
updatedb
Post by Andrey Ivanov
and then
Post by Andrey Ivanov
locate - no
Post by Andrey Ivanov
fixup-member0f.pl - just
template.fixup-memberOf.pl :-(
Post by Andrey Ivanov
It is very strange. Normally during the
server
Post by Andrey Ivanov
installation
Post by Andrey Ivanov
the
Post by Andrey Ivanov
template should be converted to the
"normal" perl
Post by Andrey Ivanov
script.
Post by Andrey Ivanov
Post by Andrey Ivanov
Have you verified the configuration of
the
Post by Andrey Ivanov
memberOf plugin,
Post by Andrey Ivanov
especially
Post by Andrey Ivanov
the arguments/attributes
"memberofgroupattr" and
Post by Andrey Ivanov
Post by Andrey Ivanov
"memberofattr" ?
Post by Andrey Ivanov
Unless I'm missing something,
you're
Post by Andrey Ivanov
ldapmodify
Post by Andrey Ivanov
looks just
Post by Andrey Ivanov
like mine
except for the cn (I believe the
documentation says
Post by Andrey Ivanov
it can be
Post by Andrey Ivanov
called
anything) and I did not use a
filter
Post by Andrey Ivanov
(again, I
Post by Andrey Ivanov
believe the
Post by Andrey Ivanov
documentation
says it is optional and our dit
is still
Post by Andrey Ivanov
rather
Post by Andrey Ivanov
small).
Post by Andrey Ivanov
If you do not put the filter into the
ldif then
Post by Andrey Ivanov
the default
Post by Andrey Ivanov
filter is
Post by Andrey Ivanov
used : "(objectClass=inetuser)". Do all
your user
Post by Andrey Ivanov
entries
Post by Andrey Ivanov
include this
Post by Andrey Ivanov
objectClass (inetuser)? If not, you
should add
Post by Andrey Ivanov
this
Post by Andrey Ivanov
objectClass to all
Post by Andrey Ivanov
the entries where you want the memberOf
attribute
Post by Andrey Ivanov
to appear.
Post by Andrey Ivanov
Post by Andrey Ivanov
I did create a new group and add
myself to
Post by Andrey Ivanov
it as you
Post by Andrey Ivanov
suggested
Post by Andrey Ivanov
(thank
you). Surprisingly, it did not
appear to
Post by Andrey Ivanov
work. I
Post by Andrey Ivanov
did not see
Post by Andrey Ivanov
a
memberOf attribute populated for
me. I
Post by Andrey Ivanov
then thought
Post by Andrey Ivanov
I would
Post by Andrey Ivanov
see if I
need to manually add that
attribute to
Post by Andrey Ivanov
each user (I
Post by Andrey Ivanov
hope not!)
Post by Andrey Ivanov
and I did
not see memberOf as an attribute
I could
Post by Andrey Ivanov
add to my
Post by Andrey Ivanov
user
Post by Andrey Ivanov
object.
No. You should not add it manually, the
memberOf
Post by Andrey Ivanov
attribute
Post by Andrey Ivanov
is
Post by Andrey Ivanov
maintained automatically based on the
group
Post by Andrey Ivanov
membership.
Post by Andrey Ivanov
Post by Andrey Ivanov
Do you see any message in error log?
There should
Post by Andrey Ivanov
be
Post by Andrey Ivanov
something about
Post by Andrey Ivanov
the impossibility to write the memberof
attribute
Post by Andrey Ivanov
i think.
Post by Andrey Ivanov
Post by Andrey Ivanov
If you cannot add this attribute
manually to your
Post by Andrey Ivanov
entry it
Post by Andrey Ivanov
means that
Post by Andrey Ivanov
your entry does not containe
inetuser". Add
Post by Andrey Ivanov
this
Post by Andrey Ivanov
objectClass to all the entries that
should be
Post by Andrey Ivanov
"managed" by
Post by Andrey Ivanov
the plug-in
Post by Andrey Ivanov
to allow the attribute memberOf to be
written to
Post by Andrey Ivanov
that
Post by Andrey Ivanov
entries.
Post by Andrey Ivanov
I have verified that the plugin
is defined
Post by Andrey Ivanov
in
Post by Andrey Ivanov
dse.ldif and it
Post by Andrey Ivanov
is
enabled. I also see memberOf
defined in
Post by Andrey Ivanov
Post by Andrey Ivanov
20subscriber.ldif and
Post by Andrey Ivanov
did not
see anything in the
documentation about
Post by Andrey Ivanov
needing to
Post by Andrey Ivanov
extend the
Post by Andrey Ivanov
schema.
No, you don't need to extend the schema
but you
Post by Andrey Ivanov
need to make
Post by Andrey Ivanov
sure that
Post by Andrey Ivanov
your entries include the objectClass
( 2.16.840.1.113730.3.2.130 NAME
Post by Andrey Ivanov
'inetUser'
Post by Andrey Ivanov
DESC
Post by Andrey Ivanov
'Auxiliary class which must be present
in an entry
Post by Andrey Ivanov
for
Post by Andrey Ivanov
delivery of
Post by Andrey Ivanov
subscriber services' SUP top AUXILIARY
MAY ( uid $
Post by Andrey Ivanov
Post by Andrey Ivanov
inetUserStatus $
Post by Andrey Ivanov
inetUserHTTPURL $ userPassword $
memberOf )
Post by Andrey Ivanov
X-ORIGIN
Post by Andrey Ivanov
'Netscape
Post by Andrey Ivanov
subscriber interoperability' )
So, at this point, I am still at
a loss
Post by Andrey Ivanov
for what I
Post by Andrey Ivanov
did wrong.
Post by Andrey Ivanov
What do I
check next? Thanks - John
Try to add the "objectClass: inetuser"
to the
Post by Andrey Ivanov
entries
Post by Andrey Ivanov
concerned and
Post by Andrey Ivanov
take a closer look to the "errors" log
file.
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
@+
On Thu, 2009-05-21 at 12:59
+0200, Andrey
Post by Andrey Ivanov
Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Hi,
there are two things to be
verified
Post by Andrey Ivanov
and/or taken
Post by Andrey Ivanov
into
Post by Andrey Ivanov
Post by Andrey Ivanov
* the pair of the attributes
that is
Post by Andrey Ivanov
maintained
Post by Andrey Ivanov
(the
Post by Andrey Ivanov
arguments
Post by Andrey Ivanov
"memberofgroupattr" and
"memberofattr"
Post by Andrey Ivanov
of the
Post by Andrey Ivanov
plug-in)
Post by Andrey Ivanov
Post by Andrey Ivanov
* presence of these two
attributes in
Post by Andrey Ivanov
the classes
Post by Andrey Ivanov
of your
Post by Andrey Ivanov
users and
Post by Andrey Ivanov
groups
To find fixup-memberof.pl try
"locate
Post by Andrey Ivanov
Post by Andrey Ivanov
fixup-memberof.pl".
Post by Andrey Ivanov
Post by Andrey Ivanov
To launch it manually you
need to add
Post by Andrey Ivanov
something
Post by Andrey Ivanov
like that
Post by Andrey Ivanov
to the
cn=memberOf_fixup_2009_5_21_12_39_21,
Post by Andrey Ivanov
cn=memberOf task,
Post by Andrey Ivanov
cn=tasks,
Post by Andrey Ivanov
cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
memberOf_fixup_2009_5_21_12_39_21
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
basedn: dc=example,dc=com
(objectClass=inetOrgPerson)
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
As for your account, you may
remove/add
Post by Andrey Ivanov
yourself
Post by Andrey Ivanov
from a
Post by Andrey Ivanov
group to see
Post by Andrey Ivanov
if it changes the memberof
attribute.
Post by Andrey Ivanov
Verify the
Post by Andrey Ivanov
objectClass
Post by Andrey Ivanov
of your
Post by Andrey Ivanov
entry and make sure the
attribute
Post by Andrey Ivanov
memberOf is an
Post by Andrey Ivanov
optional
Post by Andrey Ivanov
attribute of
Post by Andrey Ivanov
at least one of these
objectClasses...
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
2009/5/21 John A. Sullivan III
<jsullivan at opensourcedevel.com>
Post by Andrey Ivanov
Hello, all. We are in
the
Post by Andrey Ivanov
process of
Post by Andrey Ivanov
upgrading from
Post by Andrey Ivanov
8.0 to
Post by Andrey Ivanov
8.1. We've
hit a few glitches
along the way
Post by Andrey Ivanov
but most
Post by Andrey Ivanov
has gone
Post by Andrey Ivanov
well.
Post by Andrey Ivanov
However, we
wanted to implement
the new
Post by Andrey Ivanov
memberOf
Post by Andrey Ivanov
functionality.
Post by Andrey Ivanov
We
Post by Andrey Ivanov
successfully
added the plugin by
editing
Post by Andrey Ivanov
dse.ldif and
Post by Andrey Ivanov
enabled it
Post by Andrey Ivanov
from the
Post by Andrey Ivanov
console.
However, we've been
unsuccessful
Post by Andrey Ivanov
in having
Post by Andrey Ivanov
existing
Post by Andrey Ivanov
group
Post by Andrey Ivanov
membership
assigned to the
memberOf
Post by Andrey Ivanov
attribute.
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
We first tried to run
fixup-memberOf.pl
Post by Andrey Ivanov
but the
Post by Andrey Ivanov
script does
Post by Andrey Ivanov
not exist.
There is a
template.fixup-memberOf.pl but
Post by Andrey Ivanov
this does
Post by Andrey Ivanov
not seem
Post by Andrey Ivanov
to have
been built into a
final script.
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
We then thought we
would use the
Post by Andrey Ivanov
new task
Post by Andrey Ivanov
feature of
Post by Andrey Ivanov
the
Post by Andrey Ivanov
console. We
went to cn=memberof
task,cn=tasks,cn=config and
Post by Andrey Ivanov
tried to
Post by Andrey Ivanov
create the task
object. There was no
nsDirectoryServerTask
Post by Andrey Ivanov
objectclass. We
Post by Andrey Ivanov
added an
nstask but then found
there was
Post by Andrey Ivanov
no basedn
Post by Andrey Ivanov
attribute
Post by Andrey Ivanov
we could
Post by Andrey Ivanov
add. We
then created an
extensibleobject
Post by Andrey Ivanov
instead
Post by Andrey Ivanov
but still
Post by Andrey Ivanov
not basedn
Post by Andrey Ivanov
attribute.
Finally, we resorted
to
Post by Andrey Ivanov
ldapmodify (we
Post by Andrey Ivanov
hesitated
Post by Andrey Ivanov
just because
Post by Andrey Ivanov
we are not
very familiar with the
command
Post by Andrey Ivanov
line
Post by Andrey Ivanov
tools). First,
cn=fixMemberOf,cn=memberof
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: add
objectclass: top
extensibleObject
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
cn: fixMemberOf
o=Internal,dc=ssiservices,dc=biz
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
The Internal
Organization has
Post by Andrey Ivanov
several
Post by Andrey Ivanov
organizations
Post by Andrey Ivanov
under it
Post by Andrey Ivanov
(for
various clients) and
then user
Post by Andrey Ivanov
Post by Andrey Ivanov
organizational units
Post by Andrey Ivanov
under
Post by Andrey Ivanov
those
organizations.
Although it
Post by Andrey Ivanov
generated no
Post by Andrey Ivanov
errors, it
Post by Andrey Ivanov
did not
Post by Andrey Ivanov
seem to
work. Perhaps I just
don't know
Post by Andrey Ivanov
how to
Post by Andrey Ivanov
test it.
Post by Andrey Ivanov
However, the
Post by Andrey Ivanov
following
did not return an
/usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
"cn=Directory
Manager" -w - -h ldap
uid=myid
Post by Andrey Ivanov
memberOf
Doing /usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
"cn=Directory
Manager" -w - -h ldap
uid=myid
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
showed me plenty of
attributes
Post by Andrey Ivanov
but nothing
Post by Andrey Ivanov
for
Post by Andrey Ivanov
memberOf
Post by Andrey Ivanov
I also tried creating
the task
Post by Andrey Ivanov
with a
Post by Andrey Ivanov
basedn of
ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
in case it
Post by Andrey Ivanov
did not
change objects lower
in the
Post by Andrey Ivanov
tree. Still
Post by Andrey Ivanov
no success.
cn=fixMemberOf,cn=memberof
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: add
objectclass: top
nsDirectoryServerTask
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
cn: fixMemberOf
o=Internal,dc=ssiservices,dc=biz
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
adding new entry
cn=fixMemberOf,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
ldap_add: Object class
violation
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
ldap_add: additional
unknown object
Post by Andrey Ivanov
class
"nsDirectoryServerTask"
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
And received the
expected
Post by Andrey Ivanov
unknown object
Post by Andrey Ivanov
class
Post by Andrey Ivanov
error.
Post by Andrey Ivanov
What are we doing
wrong? Are
Post by Andrey Ivanov
these
Post by Andrey Ivanov
documentation
Post by Andrey Ivanov
bugs? Are
Post by Andrey Ivanov
there
application bugs or do
we simply
Post by Andrey Ivanov
not know
Post by Andrey Ivanov
what we
Post by Andrey Ivanov
are doing
Post by Andrey Ivanov
with tasks
and memberOf? How do
we get the
Post by Andrey Ivanov
memberOf
Post by Andrey Ivanov
information
Post by Andrey Ivanov
into our
Post by Andrey Ivanov
existing
user objects? Thanks -
John
<snip>
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
Nathan Kinder
2009-05-26 17:15:56 UTC
Permalink
Post by John A. Sullivan III
Very interesting. The shipping dse.ldif which the instructions say to
use as a template to edit the 8.0 dse.ldif has memberofgroupattr: member
dn: cn=MemberOf Plugin,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: MemberOf Plugin
nsslapd-pluginpath: libmemberof-plugin
nsslapd-plugininitfunc: memberof_postop_init
nsslapd-plugintype: postoperation
nsslapd-pluginenabled: off
nsslapd-plugin-depends-on-type: database
memberOfGroupAttr: member
memberOfAttr: memberOf
When I changed it to uniqueMember, it worked!
So it looks like there are several issues/errors/bugs in the
instructions and procedures for upgrading from 8.0 to 8.1
1. The memberOf plugin is enabled by default and needs to be
manually enabled (not really a bug but it is mentioned nowhere
in the docs that I saw)
2. One must manually add the inetuser to each object with which one
wishes to use the plugin. This does not appear to be a default
objectClass for user creation - at least in 8.0
It all depends on how you provision your users, and what attributes you
are using (they don't have to be "member" and
"memberOf"). It is up to the administrator to use the proper
objectclass that allows the attribute defined as the "memberOfAttr"
config value in the member entries.
Post by John A. Sullivan III
3. One must change the default memberofgroupattr from member to
uniqueMember
This is going to depend on the attribute you use to define grouping.
Some use the "groupOfNames" objectclass for a group
entry, which uses the "member" attribute to define members. It appears
that you are using "groupOfUniqueNames", which
uses "uniqueMember". The memberOf plug-in allows you to use whatever
attributes you want for both the grouping attribute
as well as the membership attribute. In fact, the plug-in could be used
for things completely unrelated to membership.
Post by John A. Sullivan III
4. The fixup-memberof.pl script is not generated from the template.
Yes, this appears to be a bug related to in-place upgrades. Please file
a bug on this.
Post by John A. Sullivan III
Thanks very much for your help - John
Post by Andrey Ivanov
If it still doesn't work, it's a matter of the plug-in configuration
and presence. Verify your dse.ldif. You shoud have something like
dn: cn=MemberOf Plugin,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: MemberOf Plugin
nsslapd-pluginPath: libmemberof-plugin
nsslapd-pluginInitfunc: memberof_postop_init
nsslapd-pluginType: postoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
memberofgroupattr: uniqueMember
memberofattr: memberOf
nsslapd-pluginId: memberof
nsslapd-pluginVersion: 1.2.0
nsslapd-pluginVendor: Fedora Project
nsslapd-pluginDescription: memberof plugin
nsslapd-pluginEnabled: on
memberofgroupattr: uniqueMember
memberofattr: memberOf
Other than that you may have the plug-in binaries missing...
2009/5/25 John A. Sullivan III <jsullivan at opensourcedevel.com>
Hmm . . . this made perfect sense and I thought it would be the end of
my problems for sure. However, I added inetUser, ran
fixup_memberof.pl
and still see no memberOf populated attribute even if I ask for it
[root at ldap01 ~]# /usr/lib64/mozldap/ldapsearch -b
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D
"cn=Directory Manager" -w - -h ldap01 uid=jasiii
version: 1
uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: account
objectClass: posixgroup
objectClass: shadowaccount
objectClass: inetuser
physicalDeliveryOfficeName: Kennebunk
telephoneNumber: +1 (207) xxx-xxxx
mail: jsullivan at example.com
sn: Sullivan III
givenName: John A.
loginShell: /bin/bash
homeDirectory: /home/jasiii
gidNumber: 100001
uidNumber: 100001
cn: jasiii
uid: jasiii
userPassword: {SSHA}p5K8zhxQYqkjCXmu617H2DtnDKDgnom3qTgQAg==
shadowLastChange: 14366
l: Kennebunk
postalCode: 04043-XXXX
postOfficeBox: PO Box XXX
st: ME
[root at ldap01 ~]# /usr/lib64/mozldap/ldapsearch -b
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D
"cn=Directory Manager" -w - -h ldap01 uid=jasiii memberOf
version: 1
uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
I then explicitly added the memberOf attribute to a user, created a
bogus group and added the user to the group. Still no memberOf. What
am I doing wrong? Thanks - John
Post by Andrey Ivanov
2009/5/22 John A. Sullivan III
<jsullivan at opensourcedevel.com>
Post by Andrey Ivanov
Ah, I did not do that as I thought the filter would
make the
Post by Andrey Ivanov
change to
users with objectClass inetOrgPerson.
No. The filter just searches what you have in your directory
I am virtually certain the users
do not explicitly have inetUser as an object class.
Are they
Post by Andrey Ivanov
supposed
to?
Yes. The set of the attributes that your entry can hold is
defined by
Post by Andrey Ivanov
the classes listed in "objectClass". And the attribute
memberOf is
Post by Andrey Ivanov
part of the "inetUser" objectClass.
Is this done by default or is the need to add this
object
Post by Andrey Ivanov
class to
all users in order to use memberOf missing from the
documentation (or
overlooked by me!).
No. It is not done by default, you need to add the
inetUser" (or any other objectClass containing the memberOf
attribute)
Post by Andrey Ivanov
to each user entry. You can make a small perl script that
does for all
Post by Andrey Ivanov
your users something like
-------------
uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
Post by Andrey Ivanov
changetype: add
objectclass: inetUser
-------------
You can test it with the GUI of the console for one or two
user
Post by Andrey Ivanov
entries just to be sure the attribute memberOf works as you
wish...
Post by Andrey Ivanov
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: account
objectClass: posixgroup
objectClass: shadowaccount
inetUser"
Post by Andrey Ivanov
necessary to add memberOf attribute to the entry...
Thanks - John
On Fri, 2009-05-22 at 08:31 +0200, Andrey Ivanov
Post by Andrey Ivanov
Can you show me the result of
/usr/lib64/mozldap/ldapsearch -b
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz"
-D
Post by Andrey Ivanov
"cn=Directory
Post by Andrey Ivanov
Manager" -w - -h ldap uid=jasiii objectClass
It will list all the objectClasses of your entry.
If
Post by Andrey Ivanov
Post by Andrey Ivanov
inetUser" is not present in the result of this
search you
Post by Andrey Ivanov
should, as i
Post by Andrey Ivanov
said in the previous message, add this objectClass
to all
Post by Andrey Ivanov
the entries
Post by Andrey Ivanov
you're going to manage with memberOf plug-in, smth
uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
Post by Andrey Ivanov
Post by Andrey Ivanov
changetype: add
objectclass: inetUser
Hope it helps .
2009/5/22 John A. Sullivan III
<jsullivan at opensourcedevel.com>
Post by Andrey Ivanov
I'm starting to feel really stupid here -
still not
Post by Andrey Ivanov
working.
Post by Andrey Ivanov
I thought the filter must be the problem
for sure.
Post by Andrey Ivanov
I assumed
Post by Andrey Ivanov
from the
documentation that no filter meant the
task would
Post by Andrey Ivanov
add the
Post by Andrey Ivanov
attribute for
everything that could take a memberOf
attribute. I
Post by Andrey Ivanov
did not
Post by Andrey Ivanov
realize it
defaulted to inetuser. So I recreated the
task with
Post by Andrey Ivanov
a filter
Post by Andrey Ivanov
of
(objectClass=inetOrgPerson) but it still
did not
Post by Andrey Ivanov
seem to work.
Post by Andrey Ivanov
I thought perhaps I was doing ldapmodify
wrong
Post by Andrey Ivanov
(enter the
Post by Andrey Ivanov
parameters,
double enter, then CTL D) so I edited the
fixup-memberof.pl
Post by Andrey Ivanov
script
according to Rich's instructions. It ran
without
Post by Andrey Ivanov
error (by
Post by Andrey Ivanov
the way, it
reflects the admin password when using -w
- !!!).
Post by Andrey Ivanov
But still
Post by Andrey Ivanov
no success.
Perhaps I am checking incorrectly. I did
not expect
Post by Andrey Ivanov
to see
Post by Andrey Ivanov
memberOf
listed as an attribute in the advanced
console
Post by Andrey Ivanov
screen for the
Post by Andrey Ivanov
user since
it is a managed attribute. But I did try
to view it
Post by Andrey Ivanov
with an
Post by Andrey Ivanov
It should be visible as an attribute you can add
(provided
Post by Andrey Ivanov
your entry
Post by Andrey Ivanov
has "objectClass: inetUser")
/usr/lib64/mozldap/ldapsearch -b
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz"
Post by Andrey Ivanov
-D
Post by Andrey Ivanov
"cn=Directory
Manager" -w - -h ldap uid=jasiii memberOf
Is this how I would check for success?
There is nothing suspicious in the error
log. I do
Post by Andrey Ivanov
have the
Post by Andrey Ivanov
audit log
enabled. I see the creation and automatic
deletion
Post by Andrey Ivanov
of the
Post by Andrey Ivanov
task but I do
not see any changes to objects to add and
populate
Post by Andrey Ivanov
the
Post by Andrey Ivanov
memberOf
attribute. I'll paste in some excerpts
below.
Post by Andrey Ivanov
Post by Andrey Ivanov
What next? Thanks - John
time: 20090520221132
dn: cn=fixMemberOf,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: add
objectClass: top
objectClass: extensibleObject
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
creatorsName: cn=xxxx
modifiersName: cn=xxx
createTimestamp: 20090521021132Z
modifyTimestamp: 20090521021132Z
time: 20090520221333
dn: cn=fixmemberof,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: delete
cn=server,cn=plugins,cn=config
Post by Andrey Ivanov
Post by Andrey Ivanov
time: 20090520222242
dn: cn=fixMemberOf,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: add
objectClass: top
objectClass: extensibleObject
cn: fixMemberOf
ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
Post by Andrey Ivanov
creatorsName: cn=xxxx
modifiersName: cn=xxxx
createTimestamp: 20090521022242Z
modifyTimestamp: 20090521022242Z
time: 20090520222442
dn: cn=fixmemberof,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: delete
cn=server,cn=plugins,cn=config
Post by Andrey Ivanov
Post by Andrey Ivanov
.
.
.
time: 20090521183523
dn: cn=memberOf_fixup_2009_5_21_18_35_23,
cn=memberOf task,
Post by Andrey Ivanov
cn=tasks,
cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
cn: memberOf_fixup_2009_5_21_18_35_23
basedn: o=Internal,dc=ssiservices,dc=biz
filter: (objectClass=inetOrgPerson)
creatorsName: cn=xxxx
modifiersName: cn=xxxx
createTimestamp: 20090521223523Z
modifyTimestamp: 20090521223523Z
time: 20090521183724
cn=memberof_fixup_2009_5_21_18_35_23,cn=memberof
Post by Andrey Ivanov
Post by Andrey Ivanov
task,cn=tasks,cn=config
changetype: delete
cn=server,cn=plugins,cn=config
Post by Andrey Ivanov
Post by Andrey Ivanov
time: 20090521185804
cn=general,ou=1.1,ou=console,ou=cn=xxxxx,ou=userpreferences,ou=ssiservices.biz,o=netscaperoot
Post by Andrey Ivanov
Post by Andrey Ivanov
changetype: modify
replace: nsPreference
IwojVGh1IE1heSAyMSAxODo1ODowNSBFRFQgMjAwOQpXaWR0aD0xMjgwClNob3
dTdGF0dXNCYXI9dHJ1ZQpTaG93QmFubmVyQmFyPXRydWUKWT0wCkhlaWdodD03NjkKWD0wCg==
Post by Andrey Ivanov
Post by Andrey Ivanov
-
replace: modifiersname
modifiersname: cn=xxxxx
-
replace: modifytimestamp
modifytimestamp: 20090521225804Z
-
On Thu, 2009-05-21 at 15:59 +0200, Andrey
Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
2009/5/21 John A. Sullivan III
<jsullivan at opensourcedevel.com>
Post by Andrey Ivanov
Thank you, Andrey. I did do an
updatedb
Post by Andrey Ivanov
and then
Post by Andrey Ivanov
locate - no
Post by Andrey Ivanov
fixup-member0f.pl - just
template.fixup-memberOf.pl :-(
Post by Andrey Ivanov
It is very strange. Normally during the
server
Post by Andrey Ivanov
installation
Post by Andrey Ivanov
the
Post by Andrey Ivanov
template should be converted to the
"normal" perl
Post by Andrey Ivanov
script.
Post by Andrey Ivanov
Post by Andrey Ivanov
Have you verified the configuration of
the
Post by Andrey Ivanov
memberOf plugin,
Post by Andrey Ivanov
especially
Post by Andrey Ivanov
the arguments/attributes
"memberofgroupattr" and
Post by Andrey Ivanov
Post by Andrey Ivanov
"memberofattr" ?
Post by Andrey Ivanov
Unless I'm missing something,
you're
Post by Andrey Ivanov
ldapmodify
Post by Andrey Ivanov
looks just
Post by Andrey Ivanov
like mine
except for the cn (I believe the
documentation says
Post by Andrey Ivanov
it can be
Post by Andrey Ivanov
called
anything) and I did not use a
filter
Post by Andrey Ivanov
(again, I
Post by Andrey Ivanov
believe the
Post by Andrey Ivanov
documentation
says it is optional and our dit
is still
Post by Andrey Ivanov
rather
Post by Andrey Ivanov
small).
Post by Andrey Ivanov
If you do not put the filter into the
ldif then
Post by Andrey Ivanov
the default
Post by Andrey Ivanov
filter is
Post by Andrey Ivanov
used : "(objectClass=inetuser)". Do all
your user
Post by Andrey Ivanov
entries
Post by Andrey Ivanov
include this
Post by Andrey Ivanov
objectClass (inetuser)? If not, you
should add
Post by Andrey Ivanov
this
Post by Andrey Ivanov
objectClass to all
Post by Andrey Ivanov
the entries where you want the memberOf
attribute
Post by Andrey Ivanov
to appear.
Post by Andrey Ivanov
Post by Andrey Ivanov
I did create a new group and add
myself to
Post by Andrey Ivanov
it as you
Post by Andrey Ivanov
suggested
Post by Andrey Ivanov
(thank
you). Surprisingly, it did not
appear to
Post by Andrey Ivanov
work. I
Post by Andrey Ivanov
did not see
Post by Andrey Ivanov
a
memberOf attribute populated for
me. I
Post by Andrey Ivanov
then thought
Post by Andrey Ivanov
I would
Post by Andrey Ivanov
see if I
need to manually add that
attribute to
Post by Andrey Ivanov
each user (I
Post by Andrey Ivanov
hope not!)
Post by Andrey Ivanov
and I did
not see memberOf as an attribute
I could
Post by Andrey Ivanov
add to my
Post by Andrey Ivanov
user
Post by Andrey Ivanov
object.
No. You should not add it manually, the
memberOf
Post by Andrey Ivanov
attribute
Post by Andrey Ivanov
is
Post by Andrey Ivanov
maintained automatically based on the
group
Post by Andrey Ivanov
membership.
Post by Andrey Ivanov
Post by Andrey Ivanov
Do you see any message in error log?
There should
Post by Andrey Ivanov
be
Post by Andrey Ivanov
something about
Post by Andrey Ivanov
the impossibility to write the memberof
attribute
Post by Andrey Ivanov
i think.
Post by Andrey Ivanov
Post by Andrey Ivanov
If you cannot add this attribute
manually to your
Post by Andrey Ivanov
entry it
Post by Andrey Ivanov
means that
Post by Andrey Ivanov
your entry does not containe
inetuser". Add
Post by Andrey Ivanov
this
Post by Andrey Ivanov
objectClass to all the entries that
should be
Post by Andrey Ivanov
"managed" by
Post by Andrey Ivanov
the plug-in
Post by Andrey Ivanov
to allow the attribute memberOf to be
written to
Post by Andrey Ivanov
that
Post by Andrey Ivanov
entries.
Post by Andrey Ivanov
I have verified that the plugin
is defined
Post by Andrey Ivanov
in
Post by Andrey Ivanov
dse.ldif and it
Post by Andrey Ivanov
is
enabled. I also see memberOf
defined in
Post by Andrey Ivanov
Post by Andrey Ivanov
20subscriber.ldif and
Post by Andrey Ivanov
did not
see anything in the
documentation about
Post by Andrey Ivanov
needing to
Post by Andrey Ivanov
extend the
Post by Andrey Ivanov
schema.
No, you don't need to extend the schema
but you
Post by Andrey Ivanov
need to make
Post by Andrey Ivanov
sure that
Post by Andrey Ivanov
your entries include the objectClass
( 2.16.840.1.113730.3.2.130 NAME
Post by Andrey Ivanov
'inetUser'
Post by Andrey Ivanov
DESC
Post by Andrey Ivanov
'Auxiliary class which must be present
in an entry
Post by Andrey Ivanov
for
Post by Andrey Ivanov
delivery of
Post by Andrey Ivanov
subscriber services' SUP top AUXILIARY
MAY ( uid $
Post by Andrey Ivanov
Post by Andrey Ivanov
inetUserStatus $
Post by Andrey Ivanov
inetUserHTTPURL $ userPassword $
memberOf )
Post by Andrey Ivanov
X-ORIGIN
Post by Andrey Ivanov
'Netscape
Post by Andrey Ivanov
subscriber interoperability' )
So, at this point, I am still at
a loss
Post by Andrey Ivanov
for what I
Post by Andrey Ivanov
did wrong.
Post by Andrey Ivanov
What do I
check next? Thanks - John
Try to add the "objectClass: inetuser"
to the
Post by Andrey Ivanov
entries
Post by Andrey Ivanov
concerned and
Post by Andrey Ivanov
take a closer look to the "errors" log
file.
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
@+
On Thu, 2009-05-21 at 12:59
+0200, Andrey
Post by Andrey Ivanov
Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Hi,
there are two things to be
verified
Post by Andrey Ivanov
and/or taken
Post by Andrey Ivanov
into
Post by Andrey Ivanov
Post by Andrey Ivanov
* the pair of the attributes
that is
Post by Andrey Ivanov
maintained
Post by Andrey Ivanov
(the
Post by Andrey Ivanov
arguments
Post by Andrey Ivanov
"memberofgroupattr" and
"memberofattr"
Post by Andrey Ivanov
of the
Post by Andrey Ivanov
plug-in)
Post by Andrey Ivanov
Post by Andrey Ivanov
* presence of these two
attributes in
Post by Andrey Ivanov
the classes
Post by Andrey Ivanov
of your
Post by Andrey Ivanov
users and
Post by Andrey Ivanov
groups
To find fixup-memberof.pl try
"locate
Post by Andrey Ivanov
Post by Andrey Ivanov
fixup-memberof.pl".
Post by Andrey Ivanov
Post by Andrey Ivanov
To launch it manually you
need to add
Post by Andrey Ivanov
something
Post by Andrey Ivanov
like that
Post by Andrey Ivanov
to the
cn=memberOf_fixup_2009_5_21_12_39_21,
Post by Andrey Ivanov
cn=memberOf task,
Post by Andrey Ivanov
cn=tasks,
Post by Andrey Ivanov
cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
memberOf_fixup_2009_5_21_12_39_21
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
basedn: dc=example,dc=com
(objectClass=inetOrgPerson)
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
As for your account, you may
remove/add
Post by Andrey Ivanov
yourself
Post by Andrey Ivanov
from a
Post by Andrey Ivanov
group to see
Post by Andrey Ivanov
if it changes the memberof
attribute.
Post by Andrey Ivanov
Verify the
Post by Andrey Ivanov
objectClass
Post by Andrey Ivanov
of your
Post by Andrey Ivanov
entry and make sure the
attribute
Post by Andrey Ivanov
memberOf is an
Post by Andrey Ivanov
optional
Post by Andrey Ivanov
attribute of
Post by Andrey Ivanov
at least one of these
objectClasses...
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
2009/5/21 John A. Sullivan III
<jsullivan at opensourcedevel.com>
Post by Andrey Ivanov
Hello, all. We are in
the
Post by Andrey Ivanov
process of
Post by Andrey Ivanov
upgrading from
Post by Andrey Ivanov
8.0 to
Post by Andrey Ivanov
8.1. We've
hit a few glitches
along the way
Post by Andrey Ivanov
but most
Post by Andrey Ivanov
has gone
Post by Andrey Ivanov
well.
Post by Andrey Ivanov
However, we
wanted to implement
the new
Post by Andrey Ivanov
memberOf
Post by Andrey Ivanov
functionality.
Post by Andrey Ivanov
We
Post by Andrey Ivanov
successfully
added the plugin by
editing
Post by Andrey Ivanov
dse.ldif and
Post by Andrey Ivanov
enabled it
Post by Andrey Ivanov
from the
Post by Andrey Ivanov
console.
However, we've been
unsuccessful
Post by Andrey Ivanov
in having
Post by Andrey Ivanov
existing
Post by Andrey Ivanov
group
Post by Andrey Ivanov
membership
assigned to the
memberOf
Post by Andrey Ivanov
attribute.
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
We first tried to run
fixup-memberOf.pl
Post by Andrey Ivanov
but the
Post by Andrey Ivanov
script does
Post by Andrey Ivanov
not exist.
There is a
template.fixup-memberOf.pl but
Post by Andrey Ivanov
this does
Post by Andrey Ivanov
not seem
Post by Andrey Ivanov
to have
been built into a
final script.
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
We then thought we
would use the
Post by Andrey Ivanov
new task
Post by Andrey Ivanov
feature of
Post by Andrey Ivanov
the
Post by Andrey Ivanov
console. We
went to cn=memberof
task,cn=tasks,cn=config and
Post by Andrey Ivanov
tried to
Post by Andrey Ivanov
create the task
object. There was no
nsDirectoryServerTask
Post by Andrey Ivanov
objectclass. We
Post by Andrey Ivanov
added an
nstask but then found
there was
Post by Andrey Ivanov
no basedn
Post by Andrey Ivanov
attribute
Post by Andrey Ivanov
we could
Post by Andrey Ivanov
add. We
then created an
extensibleobject
Post by Andrey Ivanov
instead
Post by Andrey Ivanov
but still
Post by Andrey Ivanov
not basedn
Post by Andrey Ivanov
attribute.
Finally, we resorted
to
Post by Andrey Ivanov
ldapmodify (we
Post by Andrey Ivanov
hesitated
Post by Andrey Ivanov
just because
Post by Andrey Ivanov
we are not
very familiar with the
command
Post by Andrey Ivanov
line
Post by Andrey Ivanov
tools). First,
cn=fixMemberOf,cn=memberof
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: add
objectclass: top
extensibleObject
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
cn: fixMemberOf
o=Internal,dc=ssiservices,dc=biz
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
The Internal
Organization has
Post by Andrey Ivanov
several
Post by Andrey Ivanov
organizations
Post by Andrey Ivanov
under it
Post by Andrey Ivanov
(for
various clients) and
then user
Post by Andrey Ivanov
Post by Andrey Ivanov
organizational units
Post by Andrey Ivanov
under
Post by Andrey Ivanov
those
organizations.
Although it
Post by Andrey Ivanov
generated no
Post by Andrey Ivanov
errors, it
Post by Andrey Ivanov
did not
Post by Andrey Ivanov
seem to
work. Perhaps I just
don't know
Post by Andrey Ivanov
how to
Post by Andrey Ivanov
test it.
Post by Andrey Ivanov
However, the
Post by Andrey Ivanov
following
did not return an
/usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
"cn=Directory
Manager" -w - -h ldap
uid=myid
Post by Andrey Ivanov
memberOf
Doing /usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
"cn=Directory
Manager" -w - -h ldap
uid=myid
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
showed me plenty of
attributes
Post by Andrey Ivanov
but nothing
Post by Andrey Ivanov
for
Post by Andrey Ivanov
memberOf
Post by Andrey Ivanov
I also tried creating
the task
Post by Andrey Ivanov
with a
Post by Andrey Ivanov
basedn of
ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
in case it
Post by Andrey Ivanov
did not
change objects lower
in the
Post by Andrey Ivanov
tree. Still
Post by Andrey Ivanov
no success.
cn=fixMemberOf,cn=memberof
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: add
objectclass: top
nsDirectoryServerTask
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
cn: fixMemberOf
o=Internal,dc=ssiservices,dc=biz
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
adding new entry
cn=fixMemberOf,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
ldap_add: Object class
violation
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
ldap_add: additional
unknown object
Post by Andrey Ivanov
class
"nsDirectoryServerTask"
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
And received the
expected
Post by Andrey Ivanov
unknown object
Post by Andrey Ivanov
class
Post by Andrey Ivanov
error.
Post by Andrey Ivanov
What are we doing
wrong? Are
Post by Andrey Ivanov
these
Post by Andrey Ivanov
documentation
Post by Andrey Ivanov
bugs? Are
Post by Andrey Ivanov
there
application bugs or do
we simply
Post by Andrey Ivanov
not know
Post by Andrey Ivanov
what we
Post by Andrey Ivanov
are doing
Post by Andrey Ivanov
with tasks
and memberOf? How do
we get the
Post by Andrey Ivanov
memberOf
Post by Andrey Ivanov
information
Post by Andrey Ivanov
into our
Post by Andrey Ivanov
existing
user objects? Thanks -
John
<snip>
David (Dave) Donnan
2009-12-18 11:36:04 UTC
Permalink
Hello everybody and thanks for all the help.

For the record, we have Centos Directory Server 8.1.0.

I've enabled memberof using the three steps listed below.

If it's of any help (for step #2):

./ldapmodify -P "$DIR/scripts/cert8.db" -c -h ${DEST_HOST} -p
${DEST_PORT} -D "${DEST_BIND}" -w $DESTDN_PASSWORD <<EOF
dn: uid=${TGI},ou=People,${DEST_SUFFIX}
changetype: modify
add: objectClass
objectClass: inetuser

EOF

I made the following change to template-fixup-memberof.pl:

# Following line changed by david.donnan at thalesgroup.com
# open(FOO, "| ldapmodify $vstr -h {{SERVER-NAME}} -p
{{SERVER-PORT}} -D \"$rootdn\" -w \"$passwd\" -a" );
open(FOO, "| ldapmodify $vstr -h localhost -p {{SERVER-PORT}}
-D \"$rootdn\" -w \"$passwd\" -a" );

I've performed a test whereby I've just deleted someone and then added
them again with additional groups. LDAP however did not update.
It updated, however, when I ran template-fixup-memberof.pl.

Question 1: Have I understood that I should put
template-fixup-memberof.pl into a crontab. Are there performance concerns ?

Thanks again, Dave
---------
Post by Nathan Kinder
Post by John A. Sullivan III
Very interesting. The shipping dse.ldif which the instructions say to
use as a template to edit the 8.0 dse.ldif has memberofgroupattr: member
dn: cn=MemberOf Plugin,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: MemberOf Plugin
nsslapd-pluginpath: libmemberof-plugin
nsslapd-plugininitfunc: memberof_postop_init
nsslapd-plugintype: postoperation
nsslapd-pluginenabled: off
nsslapd-plugin-depends-on-type: database
memberOfGroupAttr: member
memberOfAttr: memberOf
When I changed it to uniqueMember, it worked!
So it looks like there are several issues/errors/bugs in the
instructions and procedures for upgrading from 8.0 to 8.1
1. The memberOf plugin is enabled by default and needs to be
manually enabled (not really a bug but it is mentioned nowhere
in the docs that I saw)
2. One must manually add the inetuser to each object with which one
wishes to use the plugin. This does not appear to be a default
objectClass for user creation - at least in 8.0
It all depends on how you provision your users, and what attributes
you are using (they don't have to be "member" and
"memberOf"). It is up to the administrator to use the proper
objectclass that allows the attribute defined as the "memberOfAttr"
config value in the member entries.
Post by John A. Sullivan III
3. One must change the default memberofgroupattr from member to
uniqueMember
This is going to depend on the attribute you use to define grouping.
Some use the "groupOfNames" objectclass for a group
entry, which uses the "member" attribute to define members. It
appears that you are using "groupOfUniqueNames", which
uses "uniqueMember". The memberOf plug-in allows you to use whatever
attributes you want for both the grouping attribute
as well as the membership attribute. In fact, the plug-in could be
used for things completely unrelated to membership.
Post by John A. Sullivan III
4. The fixup-memberof.pl script is not generated from the template.
Yes, this appears to be a bug related to in-place upgrades. Please
file a bug on this.
Post by John A. Sullivan III
Thanks very much for your help - John
Post by Andrey Ivanov
If it still doesn't work, it's a matter of the plug-in configuration
and presence. Verify your dse.ldif. You shoud have something like
dn: cn=MemberOf Plugin,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: MemberOf Plugin
nsslapd-pluginPath: libmemberof-plugin
nsslapd-pluginInitfunc: memberof_postop_init
nsslapd-pluginType: postoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
memberofgroupattr: uniqueMember
memberofattr: memberOf
nsslapd-pluginId: memberof
nsslapd-pluginVersion: 1.2.0
nsslapd-pluginVendor: Fedora Project
nsslapd-pluginDescription: memberof plugin
nsslapd-pluginEnabled: on
memberofgroupattr: uniqueMember
memberofattr: memberOf
Other than that you may have the plug-in binaries missing...
2009/5/25 John A. Sullivan III <jsullivan at opensourcedevel.com>
Hmm . . . this made perfect sense and I thought it would be the end of
my problems for sure. However, I added inetUser, ran fixup_memberof.pl
and still see no memberOf populated attribute even if I ask for it
[root at ldap01 ~]# /usr/lib64/mozldap/ldapsearch -b
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D
"cn=Directory Manager" -w - -h ldap01 uid=jasiii
version: 1
uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: account
objectClass: posixgroup
objectClass: shadowaccount
objectClass: inetuser
physicalDeliveryOfficeName: Kennebunk
telephoneNumber: +1 (207) xxx-xxxx
mail: jsullivan at example.com
sn: Sullivan III
givenName: John A.
loginShell: /bin/bash
homeDirectory: /home/jasiii
gidNumber: 100001
uidNumber: 100001
cn: jasiii
uid: jasiii
userPassword: {SSHA}p5K8zhxQYqkjCXmu617H2DtnDKDgnom3qTgQAg==
shadowLastChange: 14366
l: Kennebunk
postalCode: 04043-XXXX
postOfficeBox: PO Box XXX
st: ME
[root at ldap01 ~]# /usr/lib64/mozldap/ldapsearch -b
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D
"cn=Directory Manager" -w - -h ldap01 uid=jasiii memberOf
version: 1
uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
I then explicitly added the memberOf
attribute to a user,
created a
bogus group and added the user to the group. Still no memberOf. What
am I doing wrong? Thanks - John
Post by Andrey Ivanov
2009/5/22 John A. Sullivan III
<jsullivan at opensourcedevel.com>
Post by Andrey Ivanov
Ah, I did not do that as I thought the filter would
make the
Post by Andrey Ivanov
change to
users with objectClass inetOrgPerson.
No. The filter just searches what you have in your directory
I am virtually certain the users
do not explicitly have inetUser as an object class.
Are they
Post by Andrey Ivanov
supposed
to?
Yes. The set of the attributes that your entry can hold is
defined by
Post by Andrey Ivanov
the classes listed in "objectClass". And the attribute
memberOf is
Post by Andrey Ivanov
part of the "inetUser" objectClass.
Is this done by default or is the need to add this
object
Post by Andrey Ivanov
class to
all users in order to use memberOf missing from the
documentation (or
overlooked by me!).
No. It is not done by default, you need to add the
inetUser" (or any other objectClass containing the memberOf
attribute)
Post by Andrey Ivanov
to each user entry. You can make a small perl script that
does for all
Post by Andrey Ivanov
your users something like
-------------
uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
Post by Andrey Ivanov
changetype: add
objectclass: inetUser
-------------
You can test it with the GUI of the console for one or two
user
Post by Andrey Ivanov
entries just to be sure the attribute memberOf works as you
wish...
Post by Andrey Ivanov
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: account
objectClass: posixgroup
objectClass: shadowaccount
inetUser"
Post by Andrey Ivanov
necessary to add memberOf attribute to the entry...
Thanks - John
On Fri, 2009-05-22 at 08:31 +0200, Andrey Ivanov
Post by Andrey Ivanov
Can you show me the result of
/usr/lib64/mozldap/ldapsearch -b
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz"
-D
Post by Andrey Ivanov
"cn=Directory
Post by Andrey Ivanov
Manager" -w - -h ldap uid=jasiii objectClass
It will list all the objectClasses of your entry.
If
Post by Andrey Ivanov
Post by Andrey Ivanov
inetUser" is not present in the result of this
search you
Post by Andrey Ivanov
should, as i
Post by Andrey Ivanov
said in the previous message, add this objectClass
to all
Post by Andrey Ivanov
the entries
Post by Andrey Ivanov
you're going to manage with memberOf plug-in, smth
uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
Post by Andrey Ivanov
Post by Andrey Ivanov
changetype: add
objectclass: inetUser
Hope it helps .
2009/5/22 John A. Sullivan III
<jsullivan at opensourcedevel.com>
Post by Andrey Ivanov
I'm starting to feel really stupid here -
still not
Post by Andrey Ivanov
working.
Post by Andrey Ivanov
I thought the filter must be the problem
for sure.
Post by Andrey Ivanov
I assumed
Post by Andrey Ivanov
from the
documentation that no filter meant the
task would
Post by Andrey Ivanov
add the
Post by Andrey Ivanov
attribute for
everything that could take a memberOf
attribute. I
Post by Andrey Ivanov
did not
Post by Andrey Ivanov
realize it
defaulted to inetuser. So I recreated the
task with
Post by Andrey Ivanov
a filter
Post by Andrey Ivanov
of
(objectClass=inetOrgPerson) but it still
did not
Post by Andrey Ivanov
seem to work.
Post by Andrey Ivanov
I thought perhaps I was doing ldapmodify
wrong
Post by Andrey Ivanov
(enter the
Post by Andrey Ivanov
parameters,
double enter, then CTL D) so I edited the
fixup-memberof.pl
Post by Andrey Ivanov
script
according to Rich's instructions. It ran
without
Post by Andrey Ivanov
error (by
Post by Andrey Ivanov
the way, it
reflects the admin password when using -w
- !!!).
Post by Andrey Ivanov
But still
Post by Andrey Ivanov
no success.
Perhaps I am checking incorrectly. I did
not expect
Post by Andrey Ivanov
to see
Post by Andrey Ivanov
memberOf
listed as an attribute in the advanced
console
Post by Andrey Ivanov
screen for the
Post by Andrey Ivanov
user since
it is a managed attribute. But I did try
to view it
Post by Andrey Ivanov
with an
Post by Andrey Ivanov
It should be visible as an attribute you can add
(provided
Post by Andrey Ivanov
your entry
Post by Andrey Ivanov
has "objectClass: inetUser")
/usr/lib64/mozldap/ldapsearch -b
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz"
Post by Andrey Ivanov
-D
Post by Andrey Ivanov
"cn=Directory
Manager" -w - -h ldap uid=jasiii memberOf
Is this how I would check for success?
There is nothing suspicious in the error
log. I do
Post by Andrey Ivanov
have the
Post by Andrey Ivanov
audit log
enabled. I see the creation and automatic
deletion
Post by Andrey Ivanov
of the
Post by Andrey Ivanov
task but I do
not see any changes to objects to add and
populate
Post by Andrey Ivanov
the
Post by Andrey Ivanov
memberOf
attribute. I'll paste in some excerpts
below.
Post by Andrey Ivanov
Post by Andrey Ivanov
What next? Thanks - John
time: 20090520221132
dn: cn=fixMemberOf,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: add
objectClass: top
objectClass: extensibleObject
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
creatorsName: cn=xxxx
modifiersName: cn=xxx
createTimestamp: 20090521021132Z
modifyTimestamp: 20090521021132Z
time: 20090520221333
dn: cn=fixmemberof,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: delete
cn=server,cn=plugins,cn=config
Post by Andrey Ivanov
Post by Andrey Ivanov
time: 20090520222242
dn: cn=fixMemberOf,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: add
objectClass: top
objectClass: extensibleObject
cn: fixMemberOf
ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
Post by Andrey Ivanov
creatorsName: cn=xxxx
modifiersName: cn=xxxx
createTimestamp: 20090521022242Z
modifyTimestamp: 20090521022242Z
time: 20090520222442
dn: cn=fixmemberof,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: delete
cn=server,cn=plugins,cn=config
Post by Andrey Ivanov
Post by Andrey Ivanov
.
.
.
time: 20090521183523
dn: cn=memberOf_fixup_2009_5_21_18_35_23,
cn=memberOf task,
Post by Andrey Ivanov
cn=tasks,
cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
cn: memberOf_fixup_2009_5_21_18_35_23
basedn: o=Internal,dc=ssiservices,dc=biz
filter: (objectClass=inetOrgPerson)
creatorsName: cn=xxxx
modifiersName: cn=xxxx
createTimestamp: 20090521223523Z
modifyTimestamp: 20090521223523Z
time: 20090521183724
cn=memberof_fixup_2009_5_21_18_35_23,cn=memberof
Post by Andrey Ivanov
Post by Andrey Ivanov
task,cn=tasks,cn=config
changetype: delete
cn=server,cn=plugins,cn=config
Post by Andrey Ivanov
Post by Andrey Ivanov
time: 20090521185804
cn=general,ou=1.1,ou=console,ou=cn=xxxxx,ou=userpreferences,ou=ssiservices.biz,o=netscaperoot
Post by Andrey Ivanov
Post by Andrey Ivanov
changetype: modify
replace: nsPreference
IwojVGh1IE1heSAyMSAxODo1ODowNSBFRFQgMjAwOQpXaWR0aD0xMjgwClNob3
dTdGF0dXNCYXI9dHJ1ZQpTaG93QmFubmVyQmFyPXRydWUKWT0wCkhlaWdodD03NjkKWD0wCg==
Post by Andrey Ivanov
Post by Andrey Ivanov
-
replace: modifiersname
modifiersname: cn=xxxxx
-
replace: modifytimestamp
modifytimestamp: 20090521225804Z
-
On Thu, 2009-05-21 at 15:59 +0200, Andrey
Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
2009/5/21 John A. Sullivan III
<jsullivan at opensourcedevel.com>
Post by Andrey Ivanov
Thank you, Andrey. I did do an
updatedb
Post by Andrey Ivanov
and then
Post by Andrey Ivanov
locate - no
Post by Andrey Ivanov
fixup-member0f.pl - just
template.fixup-memberOf.pl :-(
Post by Andrey Ivanov
It is very strange. Normally during the
server
Post by Andrey Ivanov
installation
Post by Andrey Ivanov
the
Post by Andrey Ivanov
template should be converted to the
"normal" perl
Post by Andrey Ivanov
script.
Post by Andrey Ivanov
Post by Andrey Ivanov
Have you verified the configuration of
the
Post by Andrey Ivanov
memberOf plugin,
Post by Andrey Ivanov
especially
Post by Andrey Ivanov
the arguments/attributes
"memberofgroupattr" and
Post by Andrey Ivanov
Post by Andrey Ivanov
"memberofattr" ?
Post by Andrey Ivanov
Unless I'm missing something,
you're
Post by Andrey Ivanov
ldapmodify
Post by Andrey Ivanov
looks just
Post by Andrey Ivanov
like mine
except for the cn (I believe the
documentation says
Post by Andrey Ivanov
it can be
Post by Andrey Ivanov
called
anything) and I did not use a
filter
Post by Andrey Ivanov
(again, I
Post by Andrey Ivanov
believe the
Post by Andrey Ivanov
documentation
says it is optional and our dit
is still
Post by Andrey Ivanov
rather
Post by Andrey Ivanov
small).
Post by Andrey Ivanov
If you do not put the filter into the
ldif then
Post by Andrey Ivanov
the default
Post by Andrey Ivanov
filter is
Post by Andrey Ivanov
used : "(objectClass=inetuser)". Do all
your user
Post by Andrey Ivanov
entries
Post by Andrey Ivanov
include this
Post by Andrey Ivanov
objectClass (inetuser)? If not, you
should add
Post by Andrey Ivanov
this
Post by Andrey Ivanov
objectClass to all
Post by Andrey Ivanov
the entries where you want the memberOf
attribute
Post by Andrey Ivanov
to appear.
Post by Andrey Ivanov
Post by Andrey Ivanov
I did create a new group and add
myself to
Post by Andrey Ivanov
it as you
Post by Andrey Ivanov
suggested
Post by Andrey Ivanov
(thank
you). Surprisingly, it did not
appear to
Post by Andrey Ivanov
work. I
Post by Andrey Ivanov
did not see
Post by Andrey Ivanov
a
memberOf attribute populated for
me. I
Post by Andrey Ivanov
then thought
Post by Andrey Ivanov
I would
Post by Andrey Ivanov
see if I
need to manually add that
attribute to
Post by Andrey Ivanov
each user (I
Post by Andrey Ivanov
hope not!)
Post by Andrey Ivanov
and I did
not see memberOf as an attribute
I could
Post by Andrey Ivanov
add to my
Post by Andrey Ivanov
user
Post by Andrey Ivanov
object.
No. You should not add it manually, the
memberOf
Post by Andrey Ivanov
attribute
Post by Andrey Ivanov
is
Post by Andrey Ivanov
maintained automatically based on the
group
Post by Andrey Ivanov
membership.
Post by Andrey Ivanov
Post by Andrey Ivanov
Do you see any message in error log?
There should
Post by Andrey Ivanov
be
Post by Andrey Ivanov
something about
Post by Andrey Ivanov
the impossibility to write the memberof
attribute
Post by Andrey Ivanov
i think.
Post by Andrey Ivanov
Post by Andrey Ivanov
If you cannot add this attribute
manually to your
Post by Andrey Ivanov
entry it
Post by Andrey Ivanov
means that
Post by Andrey Ivanov
your entry does not containe
inetuser". Add
Post by Andrey Ivanov
this
Post by Andrey Ivanov
objectClass to all the entries that
should be
Post by Andrey Ivanov
"managed" by
Post by Andrey Ivanov
the plug-in
Post by Andrey Ivanov
to allow the attribute memberOf to be
written to
Post by Andrey Ivanov
that
Post by Andrey Ivanov
entries.
Post by Andrey Ivanov
I have verified that the plugin
is defined
Post by Andrey Ivanov
in
Post by Andrey Ivanov
dse.ldif and it
Post by Andrey Ivanov
is
enabled. I also see memberOf
defined in
Post by Andrey Ivanov
Post by Andrey Ivanov
20subscriber.ldif and
Post by Andrey Ivanov
did not
see anything in the
documentation about
Post by Andrey Ivanov
needing to
Post by Andrey Ivanov
extend the
Post by Andrey Ivanov
schema.
No, you don't need to extend the schema
but you
Post by Andrey Ivanov
need to make
Post by Andrey Ivanov
sure that
Post by Andrey Ivanov
your entries include the objectClass
( 2.16.840.1.113730.3.2.130 NAME
Post by Andrey Ivanov
'inetUser'
Post by Andrey Ivanov
DESC
Post by Andrey Ivanov
'Auxiliary class which must be present
in an entry
Post by Andrey Ivanov
for
Post by Andrey Ivanov
delivery of
Post by Andrey Ivanov
subscriber services' SUP top AUXILIARY
MAY ( uid $
Post by Andrey Ivanov
Post by Andrey Ivanov
inetUserStatus $
Post by Andrey Ivanov
inetUserHTTPURL $ userPassword $
memberOf )
Post by Andrey Ivanov
X-ORIGIN
Post by Andrey Ivanov
'Netscape
Post by Andrey Ivanov
subscriber interoperability' )
So, at this point, I am still at
a loss
Post by Andrey Ivanov
for what I
Post by Andrey Ivanov
did wrong.
Post by Andrey Ivanov
What do I
check next? Thanks - John
Try to add the "objectClass: inetuser"
to the
Post by Andrey Ivanov
entries
Post by Andrey Ivanov
concerned and
Post by Andrey Ivanov
take a closer look to the "errors" log
file.
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
@+
On Thu, 2009-05-21 at 12:59
+0200, Andrey
Post by Andrey Ivanov
Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Hi,
there are two things to be
verified
Post by Andrey Ivanov
and/or taken
Post by Andrey Ivanov
into
Post by Andrey Ivanov
Post by Andrey Ivanov
* the pair of the attributes
that is
Post by Andrey Ivanov
maintained
Post by Andrey Ivanov
(the
Post by Andrey Ivanov
arguments
Post by Andrey Ivanov
"memberofgroupattr" and
"memberofattr"
Post by Andrey Ivanov
of the
Post by Andrey Ivanov
plug-in)
Post by Andrey Ivanov
Post by Andrey Ivanov
* presence of these two
attributes in
Post by Andrey Ivanov
the classes
Post by Andrey Ivanov
of your
Post by Andrey Ivanov
users and
Post by Andrey Ivanov
groups
To find fixup-memberof.pl try
"locate
Post by Andrey Ivanov
Post by Andrey Ivanov
fixup-memberof.pl".
Post by Andrey Ivanov
Post by Andrey Ivanov
To launch it manually you
need to add
Post by Andrey Ivanov
something
Post by Andrey Ivanov
like that
Post by Andrey Ivanov
to the
cn=memberOf_fixup_2009_5_21_12_39_21,
Post by Andrey Ivanov
cn=memberOf task,
Post by Andrey Ivanov
cn=tasks,
Post by Andrey Ivanov
cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
memberOf_fixup_2009_5_21_12_39_21
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
basedn: dc=example,dc=com
(objectClass=inetOrgPerson)
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
As for your account, you may
remove/add
Post by Andrey Ivanov
yourself
Post by Andrey Ivanov
from a
Post by Andrey Ivanov
group to see
Post by Andrey Ivanov
if it changes the memberof
attribute.
Post by Andrey Ivanov
Verify the
Post by Andrey Ivanov
objectClass
Post by Andrey Ivanov
of your
Post by Andrey Ivanov
entry and make sure the
attribute
Post by Andrey Ivanov
memberOf is an
Post by Andrey Ivanov
optional
Post by Andrey Ivanov
attribute of
Post by Andrey Ivanov
at least one of these
objectClasses...
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
2009/5/21 John A. Sullivan III
<jsullivan at opensourcedevel.com>
Post by Andrey Ivanov
Hello, all. We are in
the
Post by Andrey Ivanov
process of
Post by Andrey Ivanov
upgrading from
Post by Andrey Ivanov
8.0 to
Post by Andrey Ivanov
8.1. We've
hit a few glitches
along the way
Post by Andrey Ivanov
but most
Post by Andrey Ivanov
has gone
Post by Andrey Ivanov
well.
Post by Andrey Ivanov
However, we
wanted to implement
the new
Post by Andrey Ivanov
memberOf
Post by Andrey Ivanov
functionality.
Post by Andrey Ivanov
We
Post by Andrey Ivanov
successfully
added the plugin by
editing
Post by Andrey Ivanov
dse.ldif and
Post by Andrey Ivanov
enabled it
Post by Andrey Ivanov
from the
Post by Andrey Ivanov
console.
However, we've been
unsuccessful
Post by Andrey Ivanov
in having
Post by Andrey Ivanov
existing
Post by Andrey Ivanov
group
Post by Andrey Ivanov
membership
assigned to the
memberOf
Post by Andrey Ivanov
attribute.
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
We first tried to run
fixup-memberOf.pl
Post by Andrey Ivanov
but the
Post by Andrey Ivanov
script does
Post by Andrey Ivanov
not exist.
There is a
template.fixup-memberOf.pl but
Post by Andrey Ivanov
this does
Post by Andrey Ivanov
not seem
Post by Andrey Ivanov
to have
been built into a
final script.
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
We then thought we
would use the
Post by Andrey Ivanov
new task
Post by Andrey Ivanov
feature of
Post by Andrey Ivanov
the
Post by Andrey Ivanov
console. We
went to cn=memberof
task,cn=tasks,cn=config and
Post by Andrey Ivanov
tried to
Post by Andrey Ivanov
create the task
object. There was no
nsDirectoryServerTask
Post by Andrey Ivanov
objectclass. We
Post by Andrey Ivanov
added an
nstask but then found
there was
Post by Andrey Ivanov
no basedn
Post by Andrey Ivanov
attribute
Post by Andrey Ivanov
we could
Post by Andrey Ivanov
add. We
then created an
extensibleobject
Post by Andrey Ivanov
instead
Post by Andrey Ivanov
but still
Post by Andrey Ivanov
not basedn
Post by Andrey Ivanov
attribute.
Finally, we resorted
to
Post by Andrey Ivanov
ldapmodify (we
Post by Andrey Ivanov
hesitated
Post by Andrey Ivanov
just because
Post by Andrey Ivanov
we are not
very familiar with the
command
Post by Andrey Ivanov
line
Post by Andrey Ivanov
tools). First,
cn=fixMemberOf,cn=memberof
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: add
objectclass: top
extensibleObject
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
cn: fixMemberOf
o=Internal,dc=ssiservices,dc=biz
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
The Internal
Organization has
Post by Andrey Ivanov
several
Post by Andrey Ivanov
organizations
Post by Andrey Ivanov
under it
Post by Andrey Ivanov
(for
various clients) and
then user
Post by Andrey Ivanov
Post by Andrey Ivanov
organizational units
Post by Andrey Ivanov
under
Post by Andrey Ivanov
those
organizations.
Although it
Post by Andrey Ivanov
generated no
Post by Andrey Ivanov
errors, it
Post by Andrey Ivanov
did not
Post by Andrey Ivanov
seem to
work. Perhaps I just
don't know
Post by Andrey Ivanov
how to
Post by Andrey Ivanov
test it.
Post by Andrey Ivanov
However, the
Post by Andrey Ivanov
following
did not return an
/usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
"cn=Directory
Manager" -w - -h ldap
uid=myid
Post by Andrey Ivanov
memberOf
Doing /usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
"cn=Directory
Manager" -w - -h ldap
uid=myid
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
showed me plenty of
attributes
Post by Andrey Ivanov
but nothing
Post by Andrey Ivanov
for
Post by Andrey Ivanov
memberOf
Post by Andrey Ivanov
I also tried creating
the task
Post by Andrey Ivanov
with a
Post by Andrey Ivanov
basedn of
ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
in case it
Post by Andrey Ivanov
did not
change objects lower
in the
Post by Andrey Ivanov
tree. Still
Post by Andrey Ivanov
no success.
cn=fixMemberOf,cn=memberof
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
task,cn=tasks,cn=config
Post by Andrey Ivanov
changetype: add
objectclass: top
nsDirectoryServerTask
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
cn: fixMemberOf
o=Internal,dc=ssiservices,dc=biz
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
adding new entry
cn=fixMemberOf,cn=memberof
task,cn=tasks,cn=config
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
ldap_add: Object class
violation
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
ldap_add: additional
unknown object
Post by Andrey Ivanov
class
"nsDirectoryServerTask"
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
Post by Andrey Ivanov
And received the
expected
Post by Andrey Ivanov
unknown object
Post by Andrey Ivanov
class
Post by Andrey Ivanov
error.
Post by Andrey Ivanov
What are we doing
wrong? Are
Post by Andrey Ivanov
these
Post by Andrey Ivanov
documentation
Post by Andrey Ivanov
bugs? Are
Post by Andrey Ivanov
there
application bugs or do
we simply
Post by Andrey Ivanov
not know
Post by Andrey Ivanov
what we
Post by Andrey Ivanov
are doing
Post by Andrey Ivanov
with tasks
and memberOf? How do
we get the
Post by Andrey Ivanov
memberOf
Post by Andrey Ivanov
information
Post by Andrey Ivanov
into our
Post by Andrey Ivanov
existing
user objects? Thanks -
John
<snip>
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20091218/3e3a8ce6/attachment.html
Continue reading on narkive:
Loading...