memberOf Overlay not working

[jacksgt]

Hi,
I'm trying to get the memberOf overlay to work, but unfortunately haven't had much luck with it. It also didn't help that OpenLDAP documentation is pretty poor (specifically for cn=config).

I built the container and ran it with the following command:

docker run (-v mounts here)
        -e SLAPD_FORCE_RECONFIGURE='false' \
        -e SLAPD_PASSWORD='testing' \
        -e SLAPD_DOMAIN='example.com' \
        -e SLAPD_ORGANIZATION='Example' \
        -e SLAPD_ADDTIONAL_MODULES='memberof' \
        -d "dinkel/docker-openldap";

Initial slapcat output:

dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example
dc: example
structuralObjectClass: organization
entryUUID: bd7664d2-727e-1035-9a17-95e57c39ed3c
entryCSN: 20160228155031.076336Z#000000#000#000000

dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9d2lBbGpWOWlLblF3MzRaR2hLYjRnM25HMTdlMjVvOEM=
structuralObjectClass: organizationalRole
entryUUID: bd7b7684-727e-1035-9a18-95e57c39ed3c
entryCSN: 20160228155031.109551Z#000000#000#000000

Next I create the following Organizational Units with LDAP Account Manager:

ou=People,dc=example,dc=com
ou=Groups,dc=example,dc=de

("All changes were successfull" according to LAM).

Now the slapcat output also has the following entries (proceded by the one posted above):

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
structuralObjectClass: organizationalUnit
entryUUID: 00ffad78-7287-1035-8f61-d54190ab461f
entryCSN: 20160228164940.357217Z#000000#000#000000

dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
structuralObjectClass: organizationalUnit
entryUUID: 012074ae-7287-1035-8f62-d54190ab461f
entryCSN: 20160228164940.572034Z#000000#000#000000

Next I create a Group called "Users":

dn: cn=Users,ou=Groups,dc=example,dc=com
objectClass: posixGroup
gidNumber: 10000
cn: Users
structuralObjectClass: posixGroup
entryUUID: 69617f5e-7287-1035-8f63-d54190ab461f
entryCSN: 20160228165235.481337Z#000000#000#000000

Finally, I create a User (cn=Mr Test, uid=test) which has "Users" as its primary group:

dn: cn=Mr Test,ou=People,dc=example,dc=com
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
homeDirectory: /home/test
loginShell: /bin/bash
uid: test
cn: Mr Test
uidNumber: 10000
gidNumber: 10000
sn: Mr Test
structuralObjectClass: inetOrgPerson
entryUUID: a97ee16c-7287-1035-8f64-d54190ab461f
entryCSN: 20160228165423.048086Z#000000#000#000000

AFAIK, there should be an attribute memberOf. Also, the following LDAP queries do not work:

ldapsearch -x -b "dc=example,dc=com" "(&(uid=*)(memberOf=cn=Users,ou=Groups,dc=example,dc=com))"
ldapsearch -x -b "dc=example,dc=com" "(&(uid=test)(memberOf=cn=Users,ou=Groups,dc=example,dc=com))"
ldapsearch -x -b "dc=example,dc=com" "(&(cn=Mr Test)(memberOf=cn=Users,ou=Groups,dc=example,dc=com))"

All of the above give the same result:

# search result
search: 2
result: 0 Success

Am I missing something here?

I also tried applications like Ampache, but got the response User cn=Mr Test,ou=People,dc=example,dc=com is not a member of group cn=Users,ou=Groups,dc=example,dc=com (which is definitely false).

Any help is appreciated.

---

EDIT: Removed timestamps and creator information from slapcat output for better readability.

[dinkel]

It seems that you also need to add the objectClass: groupOfNames to your group members. Then you have the attribute member in your group, where you can link DNs as members, like so: member: cn=Mr Test,ou=People,dc=example,dc=com.

Hope this helps...

[jacksgt]

Since you also happen to maintain a PHP LDAP Admin image, could you maybe tell me how to to what you just described in the Web interface?
I really can't figure out how to do it...

[dinkel]

Please note, that I am no expert in OpenLDAP, I am still learning and beginning see the root of your problem. You have to choose between either posixGroup or groupOfNames objectClasses for your groups (I wasn't aware of the fact that you cannot have these two objectClasses side by side in a single object while writing my first answer above). While posixGroup also lets you have lists of memberUids for your groups, you cannot directly query for a list of users that belong to a group. This is (probably) why the memberof(and refint) overlay was created.

Seeing this example setup might help you understand memberof (I am using something very similar):

dn: ou=People,dc=example,dc=com
objectclass: organizationalUnit
objectclass: top
ou: People

dn: cn=john,ou=People,dc=example,dc=com
cn: john
# gidNumber is not really used, but required when using posixAccount
gidnumber: 10000
homedirectory: /home/john
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Doe
uid: john
uidnumber: 1000

dn: cn=max,ou=People,dc=example,dc=com
cn:  max
# gidNumber is not really used, but required when using posixAccount
gidnumber: 10000
homedirectory: /home/max
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Powers
uid: max
uidnumber: 1001

dn: ou=Groups,dc=example,dc=com
objectclass: organizationalUnit
objectclass: top
ou: Groups

dn: cn=users,ou=Groups,dc=example,dc=com
cn: users
objectclass: groupOfNames
objectclass: top
member: cn=john,ou=People,dc=example,dc=com
member: cn=max,ou=People,dc=example,dc=com

dn: cn=wheel,ou=Groups,dc=example,dc=com
cn: wheel
objectclass: groupOfNames
objectclass: top
member: cn=john,ou=People,dc=example,dc=com

dn: cn=audio,ou=Groups,dc=example,dc=com
cn: audio
objectclass: groupOfNames
objectclass: top
member: cn=max,ou=People,dc=example,dc=com

# groupOfNames needs at least one member attribute, so empty groups cannot be created
#dn: cn=empty,ou=Groups,dc=example,dc=com
#cn: empty
#objectclass: groupOfNames
#objectclass: top

Now the query stings below should work:

(&(uid=*)(memberOf=cn=users,ou=Groups,dc=example,dc=com))
(&(uid=john)(memberOf=cn=users,ou=Groups,dc=example,dc=com))

If you need GIDs in your groups as well, I don't know how you would do that, as groupOfNames doesn't allow you to have this attribute. DuckDuckGoing showed a few results with hacks that extend the posixGroup with a specially crafted member like attribute and reconfiguring memberof. I didn't try this however!

Btw: In phpLDAPadmin you can create new groups by clicking "Create a child entry" from your "Groups" organizationalUnit, then click on "Default" and choose "groupOfNames" from the list. You are then presented with a DN browser for your members.

[jacksgt]

First of all, I'd like to thank you very much for your in-depth description.

I tinkered around a bit with the various settings and forms inside PLA, but wasn't able to achieve any success. So I decided to just copy&paste your LDIF into my server.
However, I'm still not able to get this functionality working. LDAP is kind of driving me crazy.

I created a fresh Docker container and imported your LDIF posted above via PHP LDAP Admin (successfully, no errors or warnings):
Pastebin

These queries are still not working:

root@openldap:/# ldapsearch -x -b "dc=example,dc=com" "(&(uid=*)(memberOf=cn=users,ou=Groups,dc=example,dc=com))"
# base <dc=example,dc=com> with scope subtree
# filter: (&(uid=*)(memberOf=cn=users,ou=Groups,dc=example,dc=com))
# requesting: ALL
# search result
search: 2
result: 0 Success
# numResponses: 1
root@openldap:/# ldapsearch -x -b "dc=example,dc=com" "(&(uid=john)(memberOf=cn=users,ou=Groups,dc=example,dc=com))"
# base <dc=example,dc=com> with scope subtree
# filter: (&(uid=john)(memberOf=cn=users,ou=Groups,dc=example,dc=com))
# requesting: ALL
# search result
search: 2
result: 0 Success
# numResponses: 1

Any other ideas?

[dinkel]

This looks as if the memberof module wasn't loaded ... at least I got the same results as you when running the container without it. Are you sure you did add -e SLAPD_ADDITIONAL_MODULES=memberof?

Note that if you have a volume connected that saves your configuration, you need to add -e SLAPD_FORCE_RECONFIGURE=true for reconfiguration.

You can quite easily check this in phpLDAPadmin, when clicking on "schema" and then try to find "olcMemberOf" in the drop down list.

[jacksgt]

Oh my godness. I am so sorry for wasting your time.
From the original post:

docker run (-v mounts here)
        -e SLAPD_FORCE_RECONFIGURE='false' \
        -e SLAPD_PASSWORD='testing' \
        -e SLAPD_DOMAIN='example.com' \
        -e SLAPD_ORGANIZATION='Example' \
        -e SLAPD_ADDTIONAL_MODULES='memberof' \
        -d "dinkel/docker-openldap";

SLAPD_ADDTIONAL_MODULES
SLAPD_ADDITIONAL_MODULES

I would have never found this issue without you!
(I checked in PLA, and the olcMemberOf Attribute was not present.)

I am really glad you helped me out, @dinkel !