memberOf attribute: Group memberships of user and computer objects

Knowledge Base Supported
, , , ,
#1

Problem:

Group memberships are noted in the directory service as a preset on the group objects. For it also to be possible to find them via the memberOf attribute on the member objects themselves, the overlay memberOf must be enabled.

Solution: UCS Version >= 4.3-0

Starting with UCS 4.3-0 the memberOf module is activated by default for new installations. To activate memberOf on a updated system, run the following commands, after all (!) UCS systems of the domain are updated to UCS 4.3 :

ucr set ldap/overlay/memberof=true
service slapd restart
/usr/share/univention-ldap-overlay-memberof/univention-update-memberof

This has to be done for all UCS (LDAP) servers in the domain (after the update to 4.3). Start with all the UCS slave systems, then all backup systems and finally the UCS master.

If there are still system in the domain with a UCS version < 4.3-0, follow the steps in the next chapter.

Solution: UCS Version < 4.3-0

The memberOf overlay module is installed with the LDAP server package (slapd) as standard. However, the overlay is only loaded if the configuration and schema are enabled by installation of the univention-ldap-overlay-memberof package (for this, the system must be updated to at least Version 3.0-2).The consequence of this is:

  1. univention-ldap-overlay-memberof must be installed on all the other UCS system with an OpenLDAP server (Slaves & Backups) in the domains before it is installed on the UCS Master.
  2. New UCS Backups and Slaves) cannot be installed with a subsequent automatic join, as a failed.ldif is created immediately due to the missing schema for the memberOf attributes in the LDAP directory.

New UCS Backups and Slaves must therefore always be installed without a subsequent join:

  1. univention-ldap-overlay-memberof must then be subsequently installed manually
    univention-install univention-ldap-overlay-memberof

  2. only then can the system be joined.
    univention-join

Alternatively, an automated or profile-based installation can be choosen and univention-ldap-overlay-memberof can be added as a required package there.

When univention-ldap-overlay-memberof is installed, the memberOf overlay module is enabled automatically.

The overlay module can be set using the variables ldap/overlay/memberof=true/false and ldap/overlay/memberof/\. The memberOf attribute is then set automatically when new users/groups are created. To set the attribute for existing users, the script /usr/share/univention-ldap-overlay-memberof/univention-update-memberof must be run once on the UCS Master.

Important:

As a dynamic attribute, memberOf is only displayed when explicitly requested, e.g.:

univention-ldapsearch  '(uid=*)' memberOf

In addition, it can only be used in search filters in combination with static attributes such as (objectclass=top). For this reason, we recommend performing the installation in a test environment first (at least Master & Slave).

Please note: If you installed univention-ldap-overlay-memberof on UCS 3.x, anonymous read access to the OpenLDAP directory was granted to the IP address of your system. Since UCS 4.0 this is not necessary anymore and can be removed via:

ucr unset ldap/acl/read/ips

Futher Documentation:

UCS SAML: Additional data from LDAP
LDAP Validierung via Gruppen (hier: Rocket.Chat)
LDAP Auth für externe Systeme
FreeRadius / OpenLDAP Authorisation - Group membership checking
PFSense via LDAP or Radius to UCS
Problem: Restricting Portal Entries to Groups will Make them Disappear
Group memberships not shown in UMC after Upgrade
User authentication from external system to USC-LDAP. memberOf
Vmware vCenter Server 6.7 -- ldap will not bind
Dansguardian Problem with upgrade to 4.4.1
Mastodon