memberOf attribute: Group memberships of user and computer objects

ucs-3
openldap
ucs-4
ldap
memberof

#1

Problem:

Group memberships are noted in the directory service as a preset on the group objects.For it also to be possible to find them via the memberOf attribute on the members? objects themselves, the overlay "memberOf? must be enabled.

Solution: UCS Version >= 4.3-0

Starting with UCS 4.3-0 the memberOf module is activated by default for new installations. To activate memberOf on a updated system, run the following commands, after all (!) UCS systems of the domain are updated to UCS 4.3 :

ucr set ldap/overlay/memberof=yes
service slapd restart
/usr/share/univention-ldap-overlay-memberof/univention-update-memberof

This has to be done for all UCS (LDAP) servers in the domain (after the update to 4.3). Start with all the UCS slave systems, then all backup systems and finally the UCS master.

If there are still system in the domain with a UCS version < 4.3-0, follow the steps in the next chapter.

Solution: UCS Version < 4.3-0

The memberOf overlay module is installed with the LDAP server package (slapd) as standard. However, the overlay is only loaded if the configuration and schema are enabled by installation of the univention-ldap-overlay-memberof package (for this, the system must be updated to at least Version 3.0-2).The consequence of this is:

  1. univention-ldap-overlay-memberof must be installed on all the other UCS system with an OpenLDAP server (Slaves & Backups) in the domains before it is installed on the UCS Master.
  2. New UCS Backups and Slaves) cannot be installed with a subsequent automatic join, as a failed.ldif is created immediately due to the missing schema for the memberOf attributes in the LDAP directory.

New UCS Backups and Slaves must therefore always be installed without a subsequent join:

  1. “univention-ldap-overlay-memberof” must then be subsequently installed manually
    univention-install univention-ldap-overlay-memberof

  2. only then can the system be joined.
    univention-join

Alternatively, an automated or profile-based installation can be choosen and “univention-ldap-overlay-memberof” can be added as a required package there.

When univention-ldap-overlay-memberof is installed, the memberOf overlay module is enabled automatically.

The overlay module can be set using the variables “ldap/overlay/memberof=true/false” and “ldap/overlay/memberof/*”. The memberOf attribute is then set automatically when new users/groups are created. To set the attribute for existing users, the script “/usr/share/univention-ldap-overlay-memberof/univention-update-memberof” must be run once on the UCS Master. As a dynamic attribute, memberOf is only displayed when explicitly requested, e.g.:

univention-ldapsearch '(uid=*)' memberOf

In addition, it can only be used in search filters in combination with static attributes such as “(objectclass=top)”.For this reason, we recommend performing the installation in a test environment first (at least Master & Slave).

Please note: If you installed “univention-ldap-overlay-memberof” on UCS 3.x, anonymous read access to the OpenLDAP directory was granted to the IP address of your system. Since UCS 4.0 this is not necessary anymore and can be removed via:

ucr unset ldap/acl/read/ips

Futher Documentation:


UCS SAML: Additional data from LDAP
LDAP Validierung via Gruppen (hier: Rocket.Chat)
LDAP Auth für externe Systeme