memberOf Overlay config not loaded

[davidsan]

Hello all,

I've tried to spin up a container using this image by passing the -e SLAPD_ADDITIONAL_MODULES=memberof option.

When I run slapcat -b cn=config inside the container, I see no mention of any settings related to memberOf overlay. It seems like the memberof.ldif does not get loaded during entrypoint.

I've tried to add the memberOf overlay manually by running this command:
slapadd -n0 -F /etc/ldap/slapd.d -l /etc/ldap/modules/memberof.ldif and I do see memberOf overlay related configuration with slapcat command. I'm not sure why it is not loaded from the entrypoint.

I'm also facing another issue, after adding the memberOf manually, I'm still not seeing the memberOf attribute on my users (even after removing them from a group and re-adding them). I'm using phpLDAPadmin to check the attribute.

The full command I'm using for launching container is:
docker run -d -p 389:389 --name ldap -e SLAPD_PASSWORD=Password -e SLAPD_DOMAIN=my.domain.com -e SLAPD_ADDITIONAL_MODULES='memberof' -e SLAPD_FORCE_RECONFIGURE=true dinkel/openldap

[dinkel]

Hi davidsan,

Thanks for your bug report!

One of my last commits added a regression with the splitting of lists in entrypoint.sh. It should be fixed now.

I would be happy if you could retest with the latest version...

[davidsan]

The overlay seems to be loaded, as I can see it by slapcat-ing cn=config.
However, the memberOf attribute is not visible on a user belonging to a group. I've used slapcat and phpldapadmin to check.

output of slapcat
output of slapcat -b cn=config

[dinkel]

Your outputs do look good to me! There is no actual attribute memberOf, but member (when used with objectClass: groupOfNames or uniqueMember with objectClass: groupOfUniqueNames).

May I suggest to read through #8, which might help you understand the usage of the memberof overlay better.

[davidsan]

There is an attribute memberOf and that is the whole purpose of this overlay.

[http://www.openldap.org/doc/admin24/overlays.html#Reverse Group Membership Maintenance](http://www.openldap.org/doc/admin24/overlays.html#Reverse Group Membership Maintenance)

I've tested on another OpenLDAP instance, and the memberOf attribute does show up there with slapcat. I've seen issue #8 but I've correctly set the SLAPD_ADDITIONAL_MODULES parameter.

[dinkel]

Thanks for the link. I didn't know about that the memberOf being an attribute (which makes total sense). I thought about it more as a "function" that could be used in queries like

(&(&(|(objectclass=account))(|(memberof=cn=testgroup,ou=Group,dc=example,dc=com)))(uid=test1)) 

So thanks for enlightening me here!

I did a few tests and could "finally" reproduce the problem you are describing! However it only occurs, if I populated the entries in a prepopulation file. If I added it using ldapadd it worked as expected:

dinkel@dale:~/Development/docker-openldap$ docker run --name openldap -d -e SLAPD_PASSWORD=password -e SLAPD_DOMAIN=example.com -e SLAPD_ADDITIONAL_MODULES=memberof dinkel/openldap
53baa542478f0d79faaf706bafb1135c8d2a4db0b184fe2b3f2141dbdf4bc41e
dinkel@dale:~/Development/docker-openldap$ docker exec -it openldap bash
root@53baa542478f:/# apt-get update                                                                                                 
Get:1 http://security.debian.org jessie/updates InRelease [63.1 kB]
Get:2 http://security.debian.org jessie/updates/main amd64 Packages [365 kB]           
Ign http://httpredir.debian.org jessie InRelease                               
Get:3 http://httpredir.debian.org jessie-updates InRelease [142 kB]            
Get:4 http://httpredir.debian.org jessie Release.gpg [2373 B]                           
Get:5 http://httpredir.debian.org jessie Release [148 kB]                                     
Get:6 http://httpredir.debian.org jessie-updates/main amd64 Packages [17.6 kB]
Get:7 http://httpredir.debian.org jessie/main amd64 Packages [9032 kB]
Fetched 9771 kB in 12s (772 kB/s)                                                                                                   
Reading package lists... Done
root@53baa542478f:/# apt-get install ldap-utils
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  libsasl2-modules libssl1.0.0
Suggested packages:
  libsasl2-modules-gssapi-mit libsasl2-modules-gssapi-heimdal libsasl2-modules-otp libsasl2-modules-ldap libsasl2-modules-sql
The following NEW packages will be installed:
  ldap-utils libsasl2-modules libssl1.0.0
0 upgraded, 3 newly installed, 0 to remove and 26 not upgraded.
Need to get 1334 kB of archives.
After this operation, 4092 kB of additional disk space will be used.
Do you want to continue? [Y/n] 
Get:1 http://httpredir.debian.org/debian/ jessie/main libssl1.0.0 amd64 1.0.1t-1+deb8u2 [1045 kB]
Get:2 http://httpredir.debian.org/debian/ jessie/main ldap-utils amd64 2.4.40+dfsg-1+deb8u2 [188 kB]
Get:3 http://httpredir.debian.org/debian/ jessie/main libsasl2-modules amd64 2.1.26.dfsg1-13+deb8u1 [101 kB]
Fetched 1334 kB in 2s (625 kB/s)         
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package libssl1.0.0:amd64.
(Reading database ... 9193 files and directories currently installed.)
Preparing to unpack .../libssl1.0.0_1.0.1t-1+deb8u2_amd64.deb ...
Unpacking libssl1.0.0:amd64 (1.0.1t-1+deb8u2) ...
Selecting previously unselected package ldap-utils.
Preparing to unpack .../ldap-utils_2.4.40+dfsg-1+deb8u2_amd64.deb ...
Unpacking ldap-utils (2.4.40+dfsg-1+deb8u2) ...
Selecting previously unselected package libsasl2-modules:amd64.
Preparing to unpack .../libsasl2-modules_2.1.26.dfsg1-13+deb8u1_amd64.deb ...
Unpacking libsasl2-modules:amd64 (2.1.26.dfsg1-13+deb8u1) ...
Setting up libssl1.0.0:amd64 (1.0.1t-1+deb8u2) ...
debconf: unable to initialize frontend: Dialog
debconf: (TERM is not set, so the dialog frontend is not usable.)
debconf: falling back to frontend: Readline
Setting up ldap-utils (2.4.40+dfsg-1+deb8u2) ...
Setting up libsasl2-modules:amd64 (2.1.26.dfsg1-13+deb8u1) ...
Processing triggers for libc-bin (2.19-18+deb8u2) ...
root@53baa542478f:/# echo "dn: ou=Group,dc=example,dc=com
> objectclass: organizationalUnit
> ou: Group
> 
> dn: ou=People,dc=example,dc=com
> objectclass: organizationalUnit
> ou: People
> 
> dn: uid=test1,ou=People,dc=example,dc=com
> objectclass: account
> uid: test1
> 
> dn: cn=testgroup,ou=Group,dc=example,dc=com
> objectclass: groupOfNames
> cn: testgroup
> member: uid=test1,ou=People,dc=example,dc=com" > /tmp/entries.ldif
root@53baa542478f:/# ldapadd -D cn=admin,dc=example,dc=com -W -f /tmp/entries.ldif 
Enter LDAP Password: 
adding new entry "ou=Group,dc=example,dc=com"

adding new entry "ou=People,dc=example,dc=com"

adding new entry "uid=test1,ou=People,dc=example,dc=com"

adding new entry "cn=testgroup,ou=Group,dc=example,dc=com"

root@53baa542478f:/# ldapsearch -LLL -x "(uid=test1)" -b "dc=example,dc=com" memberOf                   
dn: uid=test1,ou=People,dc=example,dc=com
memberOf: cn=testgroup,ou=Group,dc=example,dc=com

root@53baa542478f:/# 

Can you confirm that?

I am trying to find a solution to the prepopulation problem...

[davidsan]

I've replayed your commands and indeed can confirm that it is working.
The issue seems to happen when using objectclass: groupOfUniqueNames.

## after playing your commands
root@18192ad8dd98:/# cat /tmp/entries2.ldif 
dn: cn=testgroup2,ou=Group,dc=example,dc=com
objectclass: groupOfUniqueNames
cn: testgroup2
uniqueMember: uid=test1,ou=People,dc=example,dc=com

root@18192ad8dd98:/# ldapadd -D cn=admin,dc=example,dc=com -W -f /tmp/entries2.ldif                                                                                                                   
Enter LDAP Password: 
adding new entry "cn=testgroup2,ou=Group,dc=example,dc=com"

root@18192ad8dd98:/# ldapsearch -LLL -x "(uid=test1)" -b "dc=example,dc=com" memberOf
dn: uid=test1,ou=People,dc=example,dc=com
memberOf: cn=testgroup,ou=Group,dc=example,dc=com

Now, I'm not sure if memberOf overlay should be supported for both or just one of those objectclass.
In osixia/docker-openldap, memberOf is working for groupOfUniqueNames, I haven't check if they support both or just groupOfUniqueNames.

About prepopulation problem, if it happens pre-configuration it can expected as applying memberOf overlay does not add the memberOf attribute to existing relations.