docker-openldap: memberOf with groupOfUniqueNames not working

@encryptblockr

I’ve done the following:

a) Load the memberof configuration as provided by Osixia:

ldapmodify -x -H ldap:// -D cn=config -w secret -f ./memberof.ldif
modifying entry "cn=module{0},cn=config"

adding new entry "olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config"

b) Load your database:

ldapadd -x -H ldap:// -D dc=example,dc=com -w secret -f ./exampledb.ldif

adding new entry "ou=groups,dc=ldap,dc=example,dc=com"

adding new entry "cn=finance,ou=groups,dc=ldap,dc=example,dc=com"

adding new entry "cn=engineering,ou=groups,dc=ldap,dc=example,dc=com"

adding new entry "ou=users,dc=ldap,dc=example,dc=com"

adding new entry "cn=Johnathan Jordan,ou=users,dc=ldap,dc=example,dc=com"

adding new entry "cn=Brandon Britton,ou=users,dc=ldap,dc=example,dc=com"

Now, this fails to generate memberOf because you created the users after you created the groups. This is one of the distinct failings of memberOf in its current form – Users must exist in the database prior to them being added to a group for the overlay to work.

Now if I modify the groups:

ldapmodify -x -H ldap:// -D dc=example,dc=com -w secret
dn: cn=finance,ou=groups,dc=ldap,dc=example,dc=com
changetype: modify
replace: uniqueMember
uniqueMember: cn=Johnathan Jordan,ou=users,dc=ldap,dc=example,dc=com
uniqueMember: cn=Brandon Britton,ou=users,dc=ldap,dc=example,dc=com

modifying entry "cn=finance,ou=groups,dc=ldap,dc=example,dc=com"

dn: cn=engineering,ou=groups,dc=ldap,dc=example,dc=com
changetype: modify
replace: uniqueMember
uniqueMember: cn=Johnathan Jordan,ou=users,dc=ldap,dc=example,dc=com

modifying entry "cn=engineering,ou=groups,dc=ldap,dc=example,dc=com"

The memberOf attribute is correctly created:

ldapsearch -x -LLL -H ldap:// -D dc=example,dc=com -w secret -b dc=ldap,dc=example,dc=com "cn=Brandon Britton" memberOf
dn: cn=Brandon Britton,ou=users,dc=ldap,dc=example,dc=com
memberOf: cn=finance,ou=groups,dc=ldap,dc=example,dc=com

ldapsearch -x -LLL -H ldap:// -D dc=example,dc=com -w secret -b dc=ldap,dc=example,dc=com "cn=Johnathan Jordan" memberOf
dn: cn=Johnathan Jordan,ou=users,dc=ldap,dc=example,dc=com
memberOf: cn=finance,ou=groups,dc=ldap,dc=example,dc=com
memberOf: cn=engineering,ou=groups,dc=ldap,dc=example,dc=com

@encryptblockr We get a lot of unhappy users of Osixia who come to the OpenLDAP project email lists complaining, so I do my best to keep them off the list by answering questions here as much as I can since the OpenLDAP project has no links to Osixia.

@obourdon I can confirm that “memberOf” only works for groupOfUniqueNames and not for groupOfNames. Which log output do you need to investigate this problem?

per the configuration, it is supposed to work with groupOfUniqueNames

https://github.com/osixia/docker-openldap/blob/stable/image/service/slapd/assets/config/bootstrap/ldif/03-memberOf.ldif

you dont use Osixia docker but you in the issue responding to questions? i dont think it takes more than 5 minutes to have one up…just incase you plan to use it ever

memberOf is a custom system developed by Microsoft that has no defined specification and as is currently implemented, is entirely unsafe to use with replication. I personally avoid using memberOf entirely.

@vityafx no problem and many thanks for your answer. Hopefully this now seem to work for you. Will still dig into this later on to see if I can find something worth mentioning