memberOf task problem

Discussion:

(too old to reply)

John A. Sullivan III

2009-05-21 02:45:40 UTC

Hello, all. We are in the process of upgrading from 8.0 to 8.1. We've
hit a few glitches along the way but most has gone well. However, we
wanted to implement the new memberOf functionality. We successfully
added the plugin by editing dse.ldif and enabled it from the console.
However, we've been unsuccessful in having existing group membership
assigned to the memberOf attribute.

We first tried to run fixup-memberOf.pl but the script does not exist.
There is a template.fixup-memberOf.pl but this does not seem to have
been built into a final script.

We then thought we would use the new task feature of the console. We
went to cn=memberof task,cn=tasks,cn=config and tried to create the task
object. There was no nsDirectoryServerTask objectclass. We added an
nstask but then found there was no basedn attribute we could add. We
then created an extensibleobject instead but still not basedn attribute.

Finally, we resorted to ldapmodify (we hesitated just because we are not
very familiar with the command line tools). First, we did:

dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz

The Internal Organization has several organizations under it (for
various clients) and then user organizational units under those
organizations. Although it generated no errors, it did not seem to
work. Perhaps I just don't know how to test it. However, the following
did not return an memberOf data:

/usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory
Manager" -w - -h ldap uid=myid memberOf

Doing /usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory
Manager" -w - -h ldap uid=myid
showed me plenty of attributes but nothing for memberOf

I also tried creating the task with a basedn of
ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz in case it did not
change objects lower in the tree. Still no success.

Finally I tried:

dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectclass: top
objectclass: nsDirectoryServerTask
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz

adding new entry cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
ldap_add: Object class violation
ldap_add: additional info: unknown object class "nsDirectoryServerTask"

And received the expected unknown object class error.

What are we doing wrong? Are these documentation bugs? Are there
application bugs or do we simply not know what we are doing with tasks
and memberOf? How do we get the memberOf information into our existing
user objects? Thanks - John

--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society

Andrey Ivanov

2009-05-21 10:59:54 UTC

Permalink

Hi,

there are two things to be verified and/or taken into account:
* the pair of the attributes that is maintained (the arguments
"memberofgroupattr" and "memberofattr" of the plug-in)
* presence of these two attributes in the classes of your users and groups

To find fixup-memberof.pl try "locate fixup-memberof.pl".

To launch it manually you need to add something like that to the server
(with ldapmodify) :
dn: cn=memberOf_fixup_2009_5_21_12_39_21, cn=memberOf task, cn=tasks,
cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
cn: memberOf_fixup_2009_5_21_12_39_21
basedn: dc=example,dc=com
filter: (objectClass=inetOrgPerson)

As for your account, you may remove/add yourself from a group to see if it
changes the memberof attribute. Verify the objectClass of your entry and
make sure the attribute memberOf is an optional attribute of at least one of
these objectClasses...

2009/5/21 John A. Sullivan III <jsullivan at opensourcedevel.com>

Post by John A. Sullivan III
Hello, all. We are in the process of upgrading from 8.0 to 8.1. We've
hit a few glitches along the way but most has gone well. However, we
wanted to implement the new memberOf functionality. We successfully
added the plugin by editing dse.ldif and enabled it from the console.
However, we've been unsuccessful in having existing group membership
assigned to the memberOf attribute.
We first tried to run fixup-memberOf.pl but the script does not exist.
There is a template.fixup-memberOf.pl but this does not seem to have
been built into a final script.
We then thought we would use the new task feature of the console. We
went to cn=memberof task,cn=tasks,cn=config and tried to create the task
object. There was no nsDirectoryServerTask objectclass. We added an
nstask but then found there was no basedn attribute we could add. We
then created an extensibleobject instead but still not basedn attribute.
Finally, we resorted to ldapmodify (we hesitated just because we are not
dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
The Internal Organization has several organizations under it (for
various clients) and then user organizational units under those
organizations. Although it generated no errors, it did not seem to
work. Perhaps I just don't know how to test it. However, the following
/usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory
Manager" -w - -h ldap uid=myid memberOf
Doing /usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory
Manager" -w - -h ldap uid=myid
showed me plenty of attributes but nothing for memberOf
I also tried creating the task with a basedn of
ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz in case it did not
change objects lower in the tree. Still no success.
dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectclass: top
objectclass: nsDirectoryServerTask
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
adding new entry cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
ldap_add: Object class violation
ldap_add: additional info: unknown object class "nsDirectoryServerTask"
And received the expected unknown object class error.
What are we doing wrong? Are these documentation bugs? Are there
application bugs or do we simply not know what we are doing with tasks
and memberOf? How do we get the memberOf information into our existing
user objects? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20090521/3b0c9eef/attachment.html

John A. Sullivan III

2009-05-21 11:33:18 UTC

Permalink

Thank you, Andrey. I did do an updatedb and then locate - no
fixup-member0f.pl - just template.fixup-memberOf.pl :-(

Unless I'm missing something, you're ldapmodify looks just like mine
except for the cn (I believe the documentation says it can be called
anything) and I did not use a filter (again, I believe the documentation
says it is optional and our dit is still rather small).

I did create a new group and add myself to it as you suggested (thank
you). Surprisingly, it did not appear to work. I did not see a
memberOf attribute populated for me. I then thought I would see if I
need to manually add that attribute to each user (I hope not!) and I did
not see memberOf as an attribute I could add to my user object.

I have verified that the plugin is defined in dse.ldif and it is
enabled. I also see memberOf defined in 20subscriber.ldif and did not
see anything in the documentation about needing to extend the schema.

So, at this point, I am still at a loss for what I did wrong. What do I
check next? Thanks - John

Post by Andrey Ivanov
Hi,
* the pair of the attributes that is maintained (the arguments
"memberofgroupattr" and "memberofattr" of the plug-in)
* presence of these two attributes in the classes of your users and groups
To find fixup-memberof.pl try "locate fixup-memberof.pl".
To launch it manually you need to add something like that to the
dn: cn=memberOf_fixup_2009_5_21_12_39_21, cn=memberOf task, cn=tasks,
cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
cn: memberOf_fixup_2009_5_21_12_39_21
basedn: dc=example,dc=com
filter: (objectClass=inetOrgPerson)
As for your account, you may remove/add yourself from a group to see
if it changes the memberof attribute. Verify the objectClass of your
entry and make sure the attribute memberOf is an optional attribute of
at least one of these objectClasses...
2009/5/21 John A. Sullivan III <jsullivan at opensourcedevel.com>
Hello, all. We are in the process of upgrading from 8.0 to 8.1. We've
hit a few glitches along the way but most has gone well.
However, we
wanted to implement the new memberOf functionality. We successfully
added the plugin by editing dse.ldif and enabled it from the console.
However, we've been unsuccessful in having existing group membership
assigned to the memberOf attribute.
We first tried to run fixup-memberOf.pl but the script does not exist.
There is a template.fixup-memberOf.pl but this does not seem to have
been built into a final script.
We then thought we would use the new task feature of the console. We
went to cn=memberof task,cn=tasks,cn=config and tried to create the task
object. There was no nsDirectoryServerTask objectclass. We added an
nstask but then found there was no basedn attribute we could add. We
then created an extensibleobject instead but still not basedn attribute.
Finally, we resorted to ldapmodify (we hesitated just because we are not
dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
The Internal Organization has several organizations under it (for
various clients) and then user organizational units under those
organizations. Although it generated no errors, it did not seem to
work. Perhaps I just don't know how to test it. However, the following
/usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory
Manager" -w - -h ldap uid=myid memberOf
Doing /usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory
Manager" -w - -h ldap uid=myid
showed me plenty of attributes but nothing for memberOf
I also tried creating the task with a basedn of
ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz in case it did not
change objects lower in the tree. Still no success.
dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectclass: top
objectclass: nsDirectoryServerTask
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
adding new entry cn=fixMemberOf,cn=memberof
task,cn=tasks,cn=config
ldap_add: Object class violation
ldap_add: additional info: unknown object class
"nsDirectoryServerTask"
And received the expected unknown object class error.
What are we doing wrong? Are these documentation bugs? Are there
application bugs or do we simply not know what we are doing with tasks
and memberOf? How do we get the memberOf information into our existing
user objects? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society

Andrey Ivanov

2009-05-21 13:59:58 UTC

Permalink

2009/5/21 John A. Sullivan III <jsullivan at opensourcedevel.com>

Post by John A. Sullivan III
Thank you, Andrey. I did do an updatedb and then locate - no
fixup-member0f.pl - just template.fixup-memberOf.pl :-(

It is very strange. Normally during the server installation the template
should be converted to the "normal" perl script.

Have you verified the configuration of the memberOf plugin, especially the
arguments/attributes "memberofgroupattr" and "memberofattr" ?

Post by John A. Sullivan III
Unless I'm missing something, you're ldapmodify looks just like mine
except for the cn (I believe the documentation says it can be called
anything) and I did not use a filter (again, I believe the documentation
says it is optional and our dit is still rather small).

If you do not put the filter into the ldif then the default filter is used :
"(objectClass=inetuser)". Do all your user entries include this objectClass
(inetuser)? If not, you should add this objectClass to all the entries where
you want the memberOf attribute to appear.

Post by John A. Sullivan III
I did create a new group and add myself to it as you suggested (thank
you). Surprisingly, it did not appear to work. I did not see a
memberOf attribute populated for me. I then thought I would see if I
need to manually add that attribute to each user (I hope not!) and I did
not see memberOf as an attribute I could add to my user object.

No. You should not add it manually, the memberOf attribute is maintained
automatically based on the group membership.

Do you see any message in error log? There should be something about the
impossibility to write the memberof attribute i think.
If you cannot add this attribute manually to your entry it means that your
entry does not containe "objectClass: inetuser". Add this objectClass to all
the entries that should be "managed" by the plug-in to allow the attribute
memberOf to be written to that entries.

Post by John A. Sullivan III
I have verified that the plugin is defined in dse.ldif and it is
enabled. I also see memberOf defined in 20subscriber.ldif and did not
see anything in the documentation about needing to extend the schema.

No, you don't need to extend the schema but you need to make sure that your
entries include the objectClass "inetuser":

objectClasses: ( 2.16.840.1.113730.3.2.130 NAME 'inetUser' DESC 'Auxiliary
class which must be present in an entry for delivery of subscriber services'
SUP top AUXILIARY MAY ( uid $ inetUserStatus $ inetUserHTTPURL $
userPassword $ memberOf ) X-ORIGIN 'Netscape subscriber interoperability' )

Post by John A. Sullivan III
So, at this point, I am still at a loss for what I did wrong. What do I
check next? Thanks - John

Try to add the "objectClass: inetuser" to the entries concerned and take a
closer look to the "errors" log file.

@+

Post by John A. Sullivan III

Post by Andrey Ivanov
Hi,
* the pair of the attributes that is maintained (the arguments
"memberofgroupattr" and "memberofattr" of the plug-in)
* presence of these two attributes in the classes of your users and groups
To find fixup-memberof.pl try "locate fixup-memberof.pl".
To launch it manually you need to add something like that to the
dn: cn=memberOf_fixup_2009_5_21_12_39_21, cn=memberOf task, cn=tasks,
cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
cn: memberOf_fixup_2009_5_21_12_39_21
basedn: dc=example,dc=com
filter: (objectClass=inetOrgPerson)
As for your account, you may remove/add yourself from a group to see
if it changes the memberof attribute. Verify the objectClass of your
entry and make sure the attribute memberOf is an optional attribute of
at least one of these objectClasses...
2009/5/21 John A. Sullivan III <jsullivan at opensourcedevel.com>
Hello, all. We are in the process of upgrading from 8.0 to 8.1. We've
hit a few glitches along the way but most has gone well.
However, we
wanted to implement the new memberOf functionality. We successfully
added the plugin by editing dse.ldif and enabled it from the console.
However, we've been unsuccessful in having existing group membership
assigned to the memberOf attribute.
We first tried to run fixup-memberOf.pl but the script does not exist.
There is a template.fixup-memberOf.pl but this does not seem to have
been built into a final script.
We then thought we would use the new task feature of the console. We
went to cn=memberof task,cn=tasks,cn=config and tried to
create the task
object. There was no nsDirectoryServerTask objectclass. We added an
nstask but then found there was no basedn attribute we could add. We
then created an extensibleobject instead but still not basedn
attribute.
Finally, we resorted to ldapmodify (we hesitated just because
we are not
dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
The Internal Organization has several organizations under it (for
various clients) and then user organizational units under those
organizations. Although it generated no errors, it did not seem to
work. Perhaps I just don't know how to test it. However, the
following
/usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory
Manager" -w - -h ldap uid=myid memberOf
Doing /usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory
Manager" -w - -h ldap uid=myid
showed me plenty of attributes but nothing for memberOf
I also tried creating the task with a basedn of
ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz in case it did not
change objects lower in the tree. Still no success.
dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectclass: top
objectclass: nsDirectoryServerTask
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
adding new entry cn=fixMemberOf,cn=memberof
task,cn=tasks,cn=config
ldap_add: Object class violation
ldap_add: additional info: unknown object class
"nsDirectoryServerTask"
And received the expected unknown object class error.
What are we doing wrong? Are these documentation bugs? Are there
application bugs or do we simply not know what we are doing with tasks
and memberOf? How do we get the memberOf information into our existing
user objects? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20090521/644b89eb/attachment.html

Rich Megginson

2009-05-21 14:27:44 UTC

Permalink

Post by Andrey Ivanov
2009/5/21 John A. Sullivan III <jsullivan at opensourcedevel.com
<mailto:jsullivan at opensourcedevel.com>>
Thank you, Andrey. I did do an updatedb and then locate - no
fixup-member0f.pl - just template.fixup-memberOf.pl
<http://template.fixup-memberOf.pl> :-(
It is very strange. Normally during the server installation the
template should be converted to the "normal" perl script.

I think that is the problem here. The script is not created if you
already have an installation and just do an upgrade. If you want to use
the script with existing instances, just copy the template file
somewhere, and replace these tokens:
{{DS-ROOT}} - replace with the empty string - for FHS systems, this is
just ""
{{SERVER-NAME}} - your server FQDN
{{SERVER-PORT}} - your server port number (e.g. 389)

The script is really pretty simple - all it does is create an LDIF task
entry and add it using ldapmodify.

Post by Andrey Ivanov
Have you verified the configuration of the memberOf plugin, especially
the arguments/attributes "memberofgroupattr" and "memberofattr" ?
Unless I'm missing something, you're ldapmodify looks just like mine
except for the cn (I believe the documentation says it can be called
anything) and I did not use a filter (again, I believe the
documentation
says it is optional and our dit is still rather small).
If you do not put the filter into the ldif then the default filter is
used : "(objectClass=inetuser)". Do all your user entries include this
objectClass (inetuser)? If not, you should add this objectClass to all
the entries where you want the memberOf attribute to appear.
I did create a new group and add myself to it as you suggested (thank
you). Surprisingly, it did not appear to work. I did not see a
memberOf attribute populated for me. I then thought I would see if I
need to manually add that attribute to each user (I hope not!) and I did
not see memberOf as an attribute I could add to my user object.
No. You should not add it manually, the memberOf attribute is
maintained automatically based on the group membership.
Do you see any message in error log? There should be something about
the impossibility to write the memberof attribute i think.
If you cannot add this attribute manually to your entry it means that
your entry does not containe "objectClass: inetuser". Add this
objectClass to all the entries that should be "managed" by the plug-in
to allow the attribute memberOf to be written to that entries.
I have verified that the plugin is defined in dse.ldif and it is
enabled. I also see memberOf defined in 20subscriber.ldif and did not
see anything in the documentation about needing to extend the schema.
No, you don't need to extend the schema but you need to make sure that
objectClasses: ( 2.16.840.1.113730.3.2.130 NAME 'inetUser' DESC
'Auxiliary class which must be present in an entry for delivery of
subscriber services' SUP top AUXILIARY MAY ( uid $ inetUserStatus $
inetUserHTTPURL $ userPassword $ memberOf ) X-ORIGIN 'Netscape
subscriber interoperability' )
So, at this point, I am still at a loss for what I did wrong.
What do I
check next? Thanks - John
Try to add the "objectClass: inetuser" to the entries concerned and
take a closer look to the "errors" log file.
@+

cn=tasks,

Post by Andrey Ivanov
cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
cn: memberOf_fixup_2009_5_21_12_39_21
basedn: dc=example,dc=com
filter: (objectClass=inetOrgPerson)
As for your account, you may remove/add yourself from a group to see
if it changes the memberof attribute. Verify the objectClass of your
entry and make sure the attribute memberOf is an optional

attribute of

Post by Andrey Ivanov
at least one of these objectClasses...
2009/5/21 John A. Sullivan III <jsullivan at opensourcedevel.com

<mailto:jsullivan at opensourcedevel.com>>

Post by Andrey Ivanov
Hello, all. We are in the process of upgrading from 8.0 to
8.1. We've
hit a few glitches along the way but most has gone well.
However, we
wanted to implement the new memberOf functionality. We
successfully
added the plugin by editing dse.ldif and enabled it from the
console.
However, we've been unsuccessful in having existing group
membership
assigned to the memberOf attribute.
We first tried to run fixup-memberOf.pl but the script does
not exist.
There is a template.fixup-memberOf.pl

<http://template.fixup-memberOf.pl> but this does not seem

Post by Andrey Ivanov
to have
been built into a final script.
We then thought we would use the new task feature of the
console. We
went to cn=memberof task,cn=tasks,cn=config and tried to
create the task
object. There was no nsDirectoryServerTask objectclass. We
added an
nstask but then found there was no basedn attribute we could
add. We
then created an extensibleobject instead but still not

basedn

Post by Andrey Ivanov
attribute.
Finally, we resorted to ldapmodify (we hesitated just

because

Post by Andrey Ivanov
we are not
dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
The Internal Organization has several organizations under it
(for
various clients) and then user organizational units under those
organizations. Although it generated no errors, it did not
seem to
work. Perhaps I just don't know how to test it.

However, the

Post by Andrey Ivanov
following
/usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D
"cn=Directory
Manager" -w - -h ldap uid=myid memberOf
Doing /usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D
"cn=Directory
Manager" -w - -h ldap uid=myid
showed me plenty of attributes but nothing for memberOf
I also tried creating the task with a basedn of
ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz in

case it

Post by Andrey Ivanov
did not
change objects lower in the tree. Still no success.
dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectclass: top
objectclass: nsDirectoryServerTask
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
adding new entry cn=fixMemberOf,cn=memberof
task,cn=tasks,cn=config
ldap_add: Object class violation
ldap_add: additional info: unknown object class
"nsDirectoryServerTask"
And received the expected unknown object class error.
What are we doing wrong? Are these documentation bugs? Are
there
application bugs or do we simply not know what we are doing
with tasks
and memberOf? How do we get the memberOf information

into our

Post by Andrey Ivanov
existing
user objects? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

<mailto:jsullivan at opensourcedevel.com>

Post by Andrey Ivanov
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com

<mailto:Fedora-directory-users at redhat.com>
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Post by Andrey Ivanov
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com

<mailto:Fedora-directory-users at redhat.com>

Post by Andrey Ivanov
https://www.redhat.com/mailman/listinfo/fedora-directory-users

--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com <mailto:jsullivan at opensourcedevel.com>
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
<mailto:Fedora-directory-users at redhat.com>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
------------------------------------------------------------------------
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20090521/2c62bd44/attachment.bin

John A. Sullivan III

2009-05-21 23:17:20 UTC

Permalink

I'm starting to feel really stupid here - still not working.

I thought the filter must be the problem for sure. I assumed from the
documentation that no filter meant the task would add the attribute for
everything that could take a memberOf attribute. I did not realize it
defaulted to inetuser. So I recreated the task with a filter of
(objectClass=inetOrgPerson) but it still did not seem to work.

I thought perhaps I was doing ldapmodify wrong (enter the parameters,
double enter, then CTL D) so I edited the fixup-memberof.pl script
according to Rich's instructions. It ran without error (by the way, it
reflects the admin password when using -w - !!!). But still no success.

Perhaps I am checking incorrectly. I did not expect to see memberOf
listed as an attribute in the advanced console screen for the user since
it is a managed attribute. But I did try to view it with an ldapsearch:

/usr/lib64/mozldap/ldapsearch -b
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory
Manager" -w - -h ldap uid=jasiii memberOf

Is this how I would check for success?

There is nothing suspicious in the error log. I do have the audit log
enabled. I see the creation and automatic deletion of the task but I do
not see any changes to objects to add and populate the memberOf
attribute. I'll paste in some excerpts below.

What next? Thanks - John

time: 20090520221132
dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
creatorsName: cn=xxxx
modifiersName: cn=xxx
createTimestamp: 20090521021132Z
modifyTimestamp: 20090521021132Z

time: 20090520221333
dn: cn=fixmemberof,cn=memberof task,cn=tasks,cn=config
changetype: delete
modifiersname: cn=server,cn=plugins,cn=config

time: 20090520222242
dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
cn: fixMemberOf
basedn: ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
creatorsName: cn=xxxx
modifiersName: cn=xxxx
createTimestamp: 20090521022242Z
modifyTimestamp: 20090521022242Z

time: 20090520222442
dn: cn=fixmemberof,cn=memberof task,cn=tasks,cn=config
changetype: delete
modifiersname: cn=server,cn=plugins,cn=config

.
.
.
time: 20090521183523
dn: cn=memberOf_fixup_2009_5_21_18_35_23, cn=memberOf task, cn=tasks,
cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
cn: memberOf_fixup_2009_5_21_18_35_23
basedn: o=Internal,dc=ssiservices,dc=biz
filter: (objectClass=inetOrgPerson)
creatorsName: cn=xxxx
modifiersName: cn=xxxx
createTimestamp: 20090521223523Z
modifyTimestamp: 20090521223523Z

time: 20090521183724
dn: cn=memberof_fixup_2009_5_21_18_35_23,cn=memberof
task,cn=tasks,cn=config
changetype: delete
modifiersname: cn=server,cn=plugins,cn=config

time: 20090521185804
dn:
cn=general,ou=1.1,ou=console,ou=cn=xxxxx,ou=userpreferences,ou=ssiservices.biz,o=netscaperoot
changetype: modify
replace: nsPreference
nsPreference::
IwojVGh1IE1heSAyMSAxODo1ODowNSBFRFQgMjAwOQpXaWR0aD0xMjgwClNob3

dTdGF0dXNCYXI9dHJ1ZQpTaG93QmFubmVyQmFyPXRydWUKWT0wCkhlaWdodD03NjkKWD0wCg==
-
replace: modifiersname
modifiersname: cn=xxxxx
-
replace: modifytimestamp
modifytimestamp: 20090521225804Z
-

Post by Andrey Ivanov
2009/5/21 John A. Sullivan III <jsullivan at opensourcedevel.com>
Thank you, Andrey. I did do an updatedb and then locate - no
fixup-member0f.pl - just template.fixup-memberOf.pl :-(
It is very strange. Normally during the server installation the
template should be converted to the "normal" perl script.
Have you verified the configuration of the memberOf plugin, especially
the arguments/attributes "memberofgroupattr" and "memberofattr" ?
Unless I'm missing something, you're ldapmodify looks just like mine
except for the cn (I believe the documentation says it can be called
anything) and I did not use a filter (again, I believe the documentation
says it is optional and our dit is still rather small).
If you do not put the filter into the ldif then the default filter is
used : "(objectClass=inetuser)". Do all your user entries include this
objectClass (inetuser)? If not, you should add this objectClass to all
the entries where you want the memberOf attribute to appear.
I did create a new group and add myself to it as you suggested (thank
you). Surprisingly, it did not appear to work. I did not see a
memberOf attribute populated for me. I then thought I would see if I
need to manually add that attribute to each user (I hope not!) and I did
not see memberOf as an attribute I could add to my user object.
No. You should not add it manually, the memberOf attribute is
maintained automatically based on the group membership.
Do you see any message in error log? There should be something about
the impossibility to write the memberof attribute i think.
If you cannot add this attribute manually to your entry it means that
your entry does not containe "objectClass: inetuser". Add this
objectClass to all the entries that should be "managed" by the plug-in
to allow the attribute memberOf to be written to that entries.
I have verified that the plugin is defined in dse.ldif and it is
enabled. I also see memberOf defined in 20subscriber.ldif and did not
see anything in the documentation about needing to extend the schema.
No, you don't need to extend the schema but you need to make sure that
objectClasses: ( 2.16.840.1.113730.3.2.130 NAME 'inetUser' DESC
'Auxiliary class which must be present in an entry for delivery of
subscriber services' SUP top AUXILIARY MAY ( uid $ inetUserStatus $
inetUserHTTPURL $ userPassword $ memberOf ) X-ORIGIN 'Netscape
subscriber interoperability' )
So, at this point, I am still at a loss for what I did wrong.
What do I
check next? Thanks - John
Try to add the "objectClass: inetuser" to the entries concerned and
take a closer look to the "errors" log file.
@+

Post by Andrey Ivanov
Hi,
there are two things to be verified and/or taken into
* the pair of the attributes that is maintained (the

arguments

Post by Andrey Ivanov
"memberofgroupattr" and "memberofattr" of the plug-in)
* presence of these two attributes in the classes of your

users and

Post by Andrey Ivanov
groups
To find fixup-memberof.pl try "locate fixup-memberof.pl".
To launch it manually you need to add something like that

to the

Post by Andrey Ivanov
dn: cn=memberOf_fixup_2009_5_21_12_39_21, cn=memberOf task,

cn=tasks,

group to see

Post by Andrey Ivanov
if it changes the memberof attribute. Verify the objectClass

of your

Post by Andrey Ivanov
entry and make sure the attribute memberOf is an optional

attribute of

Post by Andrey Ivanov
at least one of these objectClasses...
2009/5/21 John A. Sullivan III

Post by Andrey Ivanov
Hello, all. We are in the process of upgrading from

8.0 to

Post by Andrey Ivanov
8.1. We've
hit a few glitches along the way but most has gone

well.

Post by Andrey Ivanov
However, we
wanted to implement the new memberOf functionality.

Post by Andrey Ivanov
successfully
added the plugin by editing dse.ldif and enabled it

from the

Post by Andrey Ivanov
console.
However, we've been unsuccessful in having existing

group

Post by Andrey Ivanov
membership
assigned to the memberOf attribute.
We first tried to run fixup-memberOf.pl but the

script does

Post by Andrey Ivanov
not exist.
There is a template.fixup-memberOf.pl but this does

not seem

Post by Andrey Ivanov
to have
been built into a final script.
We then thought we would use the new task feature of

the

Post by Andrey Ivanov
console. We
went to cn=memberof task,cn=tasks,cn=config and

tried to

Post by Andrey Ivanov
create the task
object. There was no nsDirectoryServerTask

objectclass. We

Post by Andrey Ivanov
added an
nstask but then found there was no basedn attribute

we could

Post by Andrey Ivanov
add. We
then created an extensibleobject instead but still

not basedn

Post by Andrey Ivanov
attribute.
Finally, we resorted to ldapmodify (we hesitated

just because

Post by Andrey Ivanov
we are not
very familiar with the command line tools). First,
dn: cn=fixMemberOf,cn=memberof

task,cn=tasks,cn=config

Post by Andrey Ivanov
changetype: add
objectclass: top
objectclass: extensibleObject
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
The Internal Organization has several organizations

under it

Post by Andrey Ivanov
(for
various clients) and then user organizational units

under

Post by Andrey Ivanov
those
organizations. Although it generated no errors, it

did not

Post by Andrey Ivanov
seem to
work. Perhaps I just don't know how to test it.

However, the

Post by Andrey Ivanov
following
/usr/lib64/mozldap/ldapsearch -b

"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D

Post by Andrey Ivanov
"cn=Directory
Manager" -w - -h ldap uid=myid memberOf
Doing /usr/lib64/mozldap/ldapsearch -b

"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D

Post by Andrey Ivanov
"cn=Directory
Manager" -w - -h ldap uid=myid
showed me plenty of attributes but nothing for

memberOf

Post by Andrey Ivanov
I also tried creating the task with a basedn of
ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz

in case it

Post by Andrey Ivanov
did not
change objects lower in the tree. Still no success.
dn: cn=fixMemberOf,cn=memberof

task,cn=tasks,cn=config

Post by Andrey Ivanov
changetype: add
objectclass: top
objectclass: nsDirectoryServerTask
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
adding new entry cn=fixMemberOf,cn=memberof
task,cn=tasks,cn=config
ldap_add: Object class violation
ldap_add: additional info: unknown object class
"nsDirectoryServerTask"
And received the expected unknown object class

error.

Post by Andrey Ivanov
What are we doing wrong? Are these documentation

bugs? Are

Post by Andrey Ivanov
there
application bugs or do we simply not know what we

are doing

Post by Andrey Ivanov
with tasks
and memberOf? How do we get the memberOf information

into our

Post by Andrey Ivanov
existing
user objects? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com

https://www.redhat.com/mailman/listinfo/fedora-directory-users

Post by Andrey Ivanov
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com

https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society

Andrey Ivanov

2009-05-22 06:31:19 UTC

Permalink

Can you show me the result of
/usr/lib64/mozldap/ldapsearch -b
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory Manager"
-w - -h ldap uid=jasiii objectClass

It will list all the objectClasses of your entry. If "objectClass: inetUser"
is not present in the result of this search you should, as i said in the
previous message, add this objectClass to all the entries you're going to
manage with memberOf plug-in, smth like:

dn: uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz changetype:
add
objectclass: inetUser

Hope it helps .

2009/5/22 John A. Sullivan III <jsullivan at opensourcedevel.com>

Post by John A. Sullivan III
I'm starting to feel really stupid here - still not working.
I thought the filter must be the problem for sure. I assumed from the
documentation that no filter meant the task would add the attribute for
everything that could take a memberOf attribute. I did not realize it
defaulted to inetuser. So I recreated the task with a filter of
(objectClass=inetOrgPerson) but it still did not seem to work.
I thought perhaps I was doing ldapmodify wrong (enter the parameters,
double enter, then CTL D) so I edited the fixup-memberof.pl script
according to Rich's instructions. It ran without error (by the way, it
reflects the admin password when using -w - !!!). But still no success.
Perhaps I am checking incorrectly. I did not expect to see memberOf
listed as an attribute in the advanced console screen for the user since

It should be visible as an attribute you can add (provided your entry has
"objectClass: inetUser")

Post by John A. Sullivan III
/usr/lib64/mozldap/ldapsearch -b
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory
Manager" -w - -h ldap uid=jasiii memberOf
Is this how I would check for success?
There is nothing suspicious in the error log. I do have the audit log
enabled. I see the creation and automatic deletion of the task but I do
not see any changes to objects to add and populate the memberOf
attribute. I'll paste in some excerpts below.
What next? Thanks - John
time: 20090520221132
dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
creatorsName: cn=xxxx
modifiersName: cn=xxx
createTimestamp: 20090521021132Z
modifyTimestamp: 20090521021132Z
time: 20090520221333
dn: cn=fixmemberof,cn=memberof task,cn=tasks,cn=config
changetype: delete
modifiersname: cn=server,cn=plugins,cn=config
time: 20090520222242
dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
cn: fixMemberOf
basedn: ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
creatorsName: cn=xxxx
modifiersName: cn=xxxx
createTimestamp: 20090521022242Z
modifyTimestamp: 20090521022242Z
time: 20090520222442
dn: cn=fixmemberof,cn=memberof task,cn=tasks,cn=config
changetype: delete
modifiersname: cn=server,cn=plugins,cn=config
.
.
.
time: 20090521183523
dn: cn=memberOf_fixup_2009_5_21_18_35_23, cn=memberOf task, cn=tasks,
cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
cn: memberOf_fixup_2009_5_21_18_35_23
basedn: o=Internal,dc=ssiservices,dc=biz
filter: (objectClass=inetOrgPerson)
creatorsName: cn=xxxx
modifiersName: cn=xxxx
createTimestamp: 20090521223523Z
modifyTimestamp: 20090521223523Z
time: 20090521183724
dn: cn=memberof_fixup_2009_5_21_18_35_23,cn=memberof
task,cn=tasks,cn=config
changetype: delete
modifiersname: cn=server,cn=plugins,cn=config
time: 20090521185804
cn=general,ou=1.1,ou=console,ou=cn=xxxxx,ou=userpreferences,ou=
ssiservices.biz,o=netscaperoot
changetype: modify
replace: nsPreference
IwojVGh1IE1heSAyMSAxODo1ODowNSBFRFQgMjAwOQpXaWR0aD0xMjgwClNob3
dTdGF0dXNCYXI9dHJ1ZQpTaG93QmFubmVyQmFyPXRydWUKWT0wCkhlaWdodD03NjkKWD0wCg==
-
replace: modifiersname
modifiersname: cn=xxxxx
-
replace: modifytimestamp
modifytimestamp: 20090521225804Z
-

Post by Andrey Ivanov
2009/5/21 John A. Sullivan III <jsullivan at opensourcedevel.com>
Thank you, Andrey. I did do an updatedb and then locate - no
fixup-member0f.pl - just template.fixup-memberOf.pl :-(
It is very strange. Normally during the server installation the
template should be converted to the "normal" perl script.
Have you verified the configuration of the memberOf plugin, especially
the arguments/attributes "memberofgroupattr" and "memberofattr" ?
Unless I'm missing something, you're ldapmodify looks just like mine
except for the cn (I believe the documentation says it can be called
anything) and I did not use a filter (again, I believe the
documentation
says it is optional and our dit is still rather small).
If you do not put the filter into the ldif then the default filter is
used : "(objectClass=inetuser)". Do all your user entries include this
objectClass (inetuser)? If not, you should add this objectClass to all
the entries where you want the memberOf attribute to appear.
I did create a new group and add myself to it as you suggested (thank
you). Surprisingly, it did not appear to work. I did not see a
memberOf attribute populated for me. I then thought I would see if I
need to manually add that attribute to each user (I hope not!)
and I did
not see memberOf as an attribute I could add to my user object.
No. You should not add it manually, the memberOf attribute is
maintained automatically based on the group membership.
Do you see any message in error log? There should be something about
the impossibility to write the memberof attribute i think.
If you cannot add this attribute manually to your entry it means that
your entry does not containe "objectClass: inetuser". Add this
objectClass to all the entries that should be "managed" by the plug-in
to allow the attribute memberOf to be written to that entries.
I have verified that the plugin is defined in dse.ldif and it is
enabled. I also see memberOf defined in 20subscriber.ldif and did not
see anything in the documentation about needing to extend the schema.
No, you don't need to extend the schema but you need to make sure that
objectClasses: ( 2.16.840.1.113730.3.2.130 NAME 'inetUser' DESC
'Auxiliary class which must be present in an entry for delivery of
subscriber services' SUP top AUXILIARY MAY ( uid $ inetUserStatus $
inetUserHTTPURL $ userPassword $ memberOf ) X-ORIGIN 'Netscape
subscriber interoperability' )
So, at this point, I am still at a loss for what I did wrong.
What do I
check next? Thanks - John
Try to add the "objectClass: inetuser" to the entries concerned and
take a closer look to the "errors" log file.
@+

Post by Andrey Ivanov
Hi,
there are two things to be verified and/or taken into
* the pair of the attributes that is maintained (the

arguments

Post by Andrey Ivanov
"memberofgroupattr" and "memberofattr" of the plug-in)
* presence of these two attributes in the classes of your

users and

Post by Andrey Ivanov
groups
To find fixup-memberof.pl try "locate fixup-memberof.pl".
To launch it manually you need to add something like that

to the

Post by Andrey Ivanov
dn: cn=memberOf_fixup_2009_5_21_12_39_21, cn=memberOf task,

cn=tasks,

group to see

Post by Andrey Ivanov
if it changes the memberof attribute. Verify the objectClass

of your

Post by Andrey Ivanov
entry and make sure the attribute memberOf is an optional

attribute of

Post by Andrey Ivanov
at least one of these objectClasses...
2009/5/21 John A. Sullivan III

Post by Andrey Ivanov
Hello, all. We are in the process of upgrading from

8.0 to

Post by Andrey Ivanov
8.1. We've
hit a few glitches along the way but most has gone

well.

Post by Andrey Ivanov
However, we
wanted to implement the new memberOf functionality.

Post by Andrey Ivanov
successfully
added the plugin by editing dse.ldif and enabled it

from the

Post by Andrey Ivanov
console.
However, we've been unsuccessful in having existing

group

Post by Andrey Ivanov
membership
assigned to the memberOf attribute.
We first tried to run fixup-memberOf.pl but the

script does

Post by Andrey Ivanov
not exist.
There is a template.fixup-memberOf.pl but this does

not seem

Post by Andrey Ivanov
to have
been built into a final script.
We then thought we would use the new task feature of

the

Post by Andrey Ivanov
console. We
went to cn=memberof task,cn=tasks,cn=config and

tried to

Post by Andrey Ivanov
create the task
object. There was no nsDirectoryServerTask

objectclass. We

Post by Andrey Ivanov
added an
nstask but then found there was no basedn attribute

we could

Post by Andrey Ivanov
add. We
then created an extensibleobject instead but still

not basedn

Post by Andrey Ivanov
attribute.
Finally, we resorted to ldapmodify (we hesitated

just because

Post by Andrey Ivanov
we are not
very familiar with the command line tools). First,
dn: cn=fixMemberOf,cn=memberof

task,cn=tasks,cn=config

Post by Andrey Ivanov
changetype: add
objectclass: top
objectclass: extensibleObject
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
The Internal Organization has several organizations

under it

Post by Andrey Ivanov
(for
various clients) and then user organizational units

under

Post by Andrey Ivanov
those
organizations. Although it generated no errors, it

did not

Post by Andrey Ivanov
seem to
work. Perhaps I just don't know how to test it.

However, the

Post by Andrey Ivanov
following
/usr/lib64/mozldap/ldapsearch -b

"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D

Post by Andrey Ivanov
"cn=Directory
Manager" -w - -h ldap uid=myid memberOf
Doing /usr/lib64/mozldap/ldapsearch -b

"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D

Post by Andrey Ivanov
"cn=Directory
Manager" -w - -h ldap uid=myid
showed me plenty of attributes but nothing for

memberOf

Post by Andrey Ivanov
I also tried creating the task with a basedn of
ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz

in case it

Post by Andrey Ivanov
did not
change objects lower in the tree. Still no success.
dn: cn=fixMemberOf,cn=memberof

task,cn=tasks,cn=config

error.

Post by Andrey Ivanov
What are we doing wrong? Are these documentation

bugs? Are

Post by Andrey Ivanov
there
application bugs or do we simply not know what we

are doing

Post by Andrey Ivanov
with tasks
and memberOf? How do we get the memberOf information

into our

https://www.redhat.com/mailman/listinfo/fedora-directory-users

Post by Andrey Ivanov
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20090522/944596bb/attachment.html

John A. Sullivan III

2009-05-22 12:02:19 UTC

Permalink

Ah, I did not do that as I thought the filter would make the change to
users with objectClass inetOrgPerson. I am virtually certain the users
do not explicitly have inetUser as an object class. Are they supposed
to? Is this done by default or is the need to add this object class to
all users in order to use memberOf missing from the documentation (or
overlooked by me!).

objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: account
objectClass: posixgroup
objectClass: shadowaccount

Thanks - John

Post by Andrey Ivanov
Can you show me the result of
/usr/lib64/mozldap/ldapsearch -b
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory
Manager" -w - -h ldap uid=jasiii objectClass
inetUser" is not present in the result of this search you should, as i
said in the previous message, add this objectClass to all the entries
dn: uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
changetype: add
objectclass: inetUser
Hope it helps .
2009/5/22 John A. Sullivan III <jsullivan at opensourcedevel.com>
I'm starting to feel really stupid here - still not working.
I thought the filter must be the problem for sure. I assumed from the
documentation that no filter meant the task would add the attribute for
everything that could take a memberOf attribute. I did not realize it
defaulted to inetuser. So I recreated the task with a filter of
(objectClass=inetOrgPerson) but it still did not seem to work.
I thought perhaps I was doing ldapmodify wrong (enter the parameters,
double enter, then CTL D) so I edited the fixup-memberof.pl script
according to Rich's instructions. It ran without error (by the way, it
reflects the admin password when using -w - !!!). But still no success.
Perhaps I am checking incorrectly. I did not expect to see memberOf
listed as an attribute in the advanced console screen for the user since
It should be visible as an attribute you can add (provided your entry
has "objectClass: inetUser")
/usr/lib64/mozldap/ldapsearch -b
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D
"cn=Directory
Manager" -w - -h ldap uid=jasiii memberOf
Is this how I would check for success?
There is nothing suspicious in the error log. I do have the audit log
enabled. I see the creation and automatic deletion of the task but I do
not see any changes to objects to add and populate the
memberOf
attribute. I'll paste in some excerpts below.
What next? Thanks - John
time: 20090520221132
dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
creatorsName: cn=xxxx
modifiersName: cn=xxx
createTimestamp: 20090521021132Z
modifyTimestamp: 20090521021132Z
time: 20090520221333
dn: cn=fixmemberof,cn=memberof task,cn=tasks,cn=config
changetype: delete
modifiersname: cn=server,cn=plugins,cn=config
time: 20090520222242
dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
cn: fixMemberOf
basedn: ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
creatorsName: cn=xxxx
modifiersName: cn=xxxx
createTimestamp: 20090521022242Z
modifyTimestamp: 20090521022242Z
time: 20090520222442
dn: cn=fixmemberof,cn=memberof task,cn=tasks,cn=config
changetype: delete
modifiersname: cn=server,cn=plugins,cn=config
.
.
.
time: 20090521183523
dn: cn=memberOf_fixup_2009_5_21_18_35_23, cn=memberOf task, cn=tasks,
cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
cn: memberOf_fixup_2009_5_21_18_35_23
basedn: o=Internal,dc=ssiservices,dc=biz
filter: (objectClass=inetOrgPerson)
creatorsName: cn=xxxx
modifiersName: cn=xxxx
createTimestamp: 20090521223523Z
modifyTimestamp: 20090521223523Z
time: 20090521183724
dn: cn=memberof_fixup_2009_5_21_18_35_23,cn=memberof
task,cn=tasks,cn=config
changetype: delete
modifiersname: cn=server,cn=plugins,cn=config
time: 20090521185804
cn=general,ou=1.1,ou=console,ou=cn=xxxxx,ou=userpreferences,ou=ssiservices.biz,o=netscaperoot
changetype: modify
replace: nsPreference
IwojVGh1IE1heSAyMSAxODo1ODowNSBFRFQgMjAwOQpXaWR0aD0xMjgwClNob3
dTdGF0dXNCYXI9dHJ1ZQpTaG93QmFubmVyQmFyPXRydWUKWT0wCkhlaWdodD03NjkKWD0wCg==
-
replace: modifiersname
modifiersname: cn=xxxxx
-
replace: modifytimestamp
modifytimestamp: 20090521225804Z
-

Post by Andrey Ivanov
2009/5/21 John A. Sullivan III

Post by Andrey Ivanov
Thank you, Andrey. I did do an updatedb and then

locate - no

Post by Andrey Ivanov
fixup-member0f.pl - just

template.fixup-memberOf.pl :-(

Post by Andrey Ivanov
It is very strange. Normally during the server installation

the

Post by Andrey Ivanov
template should be converted to the "normal" perl script.
Have you verified the configuration of the memberOf plugin,

especially

Post by Andrey Ivanov
the arguments/attributes "memberofgroupattr" and

"memberofattr" ?

Post by Andrey Ivanov
Unless I'm missing something, you're ldapmodify

looks just

Post by Andrey Ivanov
like mine
except for the cn (I believe the documentation says

it can be

Post by Andrey Ivanov
called
anything) and I did not use a filter (again, I

believe the

Post by Andrey Ivanov
documentation
says it is optional and our dit is still rather

small).

Post by Andrey Ivanov
If you do not put the filter into the ldif then the default

filter is

Post by Andrey Ivanov
used : "(objectClass=inetuser)". Do all your user entries

include this

Post by Andrey Ivanov
objectClass (inetuser)? If not, you should add this

objectClass to all

Post by Andrey Ivanov
the entries where you want the memberOf attribute to appear.
I did create a new group and add myself to it as you

suggested

Post by Andrey Ivanov
(thank
you). Surprisingly, it did not appear to work. I

did not see

Post by Andrey Ivanov
a
memberOf attribute populated for me. I then thought

I would

Post by Andrey Ivanov
see if I
need to manually add that attribute to each user (I

hope not!)

Post by Andrey Ivanov
and I did
not see memberOf as an attribute I could add to my

user

Post by Andrey Ivanov
object.
No. You should not add it manually, the memberOf attribute

Post by Andrey Ivanov
maintained automatically based on the group membership.
Do you see any message in error log? There should be

something about

Post by Andrey Ivanov
the impossibility to write the memberof attribute i think.
If you cannot add this attribute manually to your entry it

means that

Post by Andrey Ivanov
your entry does not containe "objectClass: inetuser". Add

this

Post by Andrey Ivanov
objectClass to all the entries that should be "managed" by

the plug-in

Post by Andrey Ivanov
to allow the attribute memberOf to be written to that

entries.

Post by Andrey Ivanov
I have verified that the plugin is defined in

dse.ldif and it

Post by Andrey Ivanov
is
enabled. I also see memberOf defined in

20subscriber.ldif and

Post by Andrey Ivanov
did not
see anything in the documentation about needing to

extend the

Post by Andrey Ivanov
schema.
No, you don't need to extend the schema but you need to make

sure that

Post by Andrey Ivanov
objectClasses: ( 2.16.840.1.113730.3.2.130 NAME 'inetUser'

DESC

Post by Andrey Ivanov
'Auxiliary class which must be present in an entry for

delivery of

Post by Andrey Ivanov
subscriber services' SUP top AUXILIARY MAY ( uid $

inetUserStatus $

Post by Andrey Ivanov
inetUserHTTPURL $ userPassword $ memberOf ) X-ORIGIN

'Netscape

Post by Andrey Ivanov
subscriber interoperability' )
So, at this point, I am still at a loss for what I

did wrong.

Post by Andrey Ivanov
What do I
check next? Thanks - John
Try to add the "objectClass: inetuser" to the entries

concerned and

Post by Andrey Ivanov
take a closer look to the "errors" log file.
@+
On Thu, 2009-05-21 at 12:59 +0200, Andrey Ivanov

Post by Andrey Ivanov
Hi,
there are two things to be verified and/or taken

into