Group memberships are noted in the directory service as a preset on the group objects.For it also to be possible to find them via the memberOf attribute on the members? objects themselves, the overlay "memberOf? must be enabled.
The memberOf overlay module is installed with the LDAP server package (slapd) as standard. However, the overlay is only loaded if the configuration and schema are enabled by installation of the univention-ldap-overlay-memberof package (for this, the system must be updated to at least Version 3.0-2).The consequence of this is:
- univention-ldap-overlay-memberof must be installed on all the other UCS system with an OpenLDAP server (Slaves & Backups) in the domains before it is installed on the UCS Master.
- New UCS Backups and Slaves) cannot be installed with a subsequent automatic join, as a failed.ldif is created immediately due to the missing schema for the memberOf attributes in the LDAP directory.
New UCS Backups and Slaves must therefore always be installed without a subsequent join:
“univention-ldap-overlay-memberof” must then be subsequently installed manually
only then can the system be joined.
Alternatively, an automated or profile-based installation can be choosen and “univention-ldap-overlay-memberof” can be added as a required package there.
When univention-ldap-overlay-memberof is installed, the memberOf overlay module is enabled automatically.
The overlay module can be set using the variables “ldap/overlay/memberof=true/false” and “ldap/overlay/memberof/*”. The memberOf attribute is then set automatically when new users/groups are created. To set the attribute for existing users, the script “/usr/share/univention-ldap-overlay-memberof/univention-update-memberof” must be run once on the UCS Master. As a dynamic attribute, memberOf is only displayed when explicitly requested, e.g.:
univention-ldapsearch '(uid=*)' memberOf
In addition, it can only be used in search filters in combination with static attributes such as “(objectclass=top)”.For this reason, we recommend performing the installation in a test environment first (at least Master & Slave).
Please note: If you installed “univention-ldap-overlay-memberof” on UCS 3.x, anonymous read access to the OpenLDAP directory was granted to the IP address of your system. Since UCS 4.0 this is not necessary anymore and can be removed via:
ucr unset ldap/acl/read/ips