Hello,
I’ve installed the memberOf overlay module today (first on slaves, last on master). The I’ve run the script on the DC Master. But it seems to be working only on the DC Master:
univention-ldapsearch uid=username memberOf
On the DC Slaves and the DC Backup the result is empty (not the output of course).
Is this the expected behavior?
EDIT: I’ve checked for replication errors already.
Hey,
please check the UCR variable ldap/overlay/memberof on the affected servers. If is set to false, set it to true and run /usr/share/univention-ldap-overlay-memberof/univention-update-memberof afterwards.
Kind regards,
mosu
It’s everywhere set to true.
Hey,
please run the script regardless of the value of said variable. Then run the search again.
Please note that the attribute is only output if it’s actually requested:
[0 root@uma ~] univention-ldapsearch uid=mosu | grep -i memberof
[1 root@uma ~] univention-ldapsearch uid=mosu memberof | grep -i memberof
# requesting: memberof
memberOf: cn=vj,cn=groups,dc=ucstest,dc=bunkus,dc=org
Kind regards,
mosu
I’ve run rerun the script
/usr/share/univention-ldap-overlay-memberof/univention-update-memberof
I’ve also tried this:
ucr set ldap/overlay/memberof='true'
systemctl restart slapd.service
But the output is still the same:
# univention-ldapsearch uid=username memberof | grep -i memberof
# requesting: memberof
Hey,
I’ve just verified that the following steps work on my installation where the overlay was disabled:
ucr set ldap/overlay/memberof=true
slapd.conf file. The following should return a line containing overlay memberof: grep 'overlay.*memberof' /etc/ldap/slapd.conf
systemctl restart slapd.service
memberOf attribute: univention-ldapsearch uid=mbunkus memberof
Kind regards,
mosu
Strange, but it doesn’t help.
Have you made sure your slapd.conf contains the following section:
moduleload memberof.so
overlay memberof
memberof-group-oc posixGroup
memberof-member-ad uniqueMember
memberof-memberof-ad memberOf
memberof-dangling ignore
memberof-dn cn=admin,dc=ucstest,dc=bunkus,dc=org
memberof-refint false
(with your DN for memberof-dn, of course)
Yes:
# /etc/univention/templates/files/etc/ldap/slapd.conf.d/41univention-ldap-overlay-memberof
moduleload memberof.so
overlay memberof
memberof-group-oc posixGroup
memberof-member-ad uniqueMember
memberof-memberof-ad memberOf
memberof-dangling ignore
memberof-dn cn=admin,dc=top2,dc=top1
memberof-refint false
Hey,
looks good. Welp, I’m out of of ideas for the time being 
m.
Hey,
addendum. I wrote above that I got it working. However, that was on a DC Master.
I’ve now run into the same problem you’ve described on a DC Slave (on 4.3-0, but that shouldn’t matter in this case). After installing & enabling the overlay, after running the update script, an LDAP search didn’t show the memberof attributes.
What helped was simply re-joining the DC Slave into the domain. Directly after univention-join had completed, an LDAP search did output the memberOf attribute. So just re-join both your DC Backup and DC Slave and see if that helps. The process isn’t dangerous as no data will be lost.
Kind regards,
mosu
Ok thank you for the hint.
I’ve also added a user to a group and the memberOf attribute is there for all members of this group.
Hey,
hmm… maybe you could try running that script /usr/share/univention-ldap-overlay-memberof/univention-update-memberof once more on the DC Master (instead of on the DC Backup/DC Slave) before trying the re-join and see if that makes a difference. What that script seems to be supposed to be doing is to trigger an update to the membership of all groups so that the LDAP server updates its memberOf overlay automatically. It’s possible that such a change doesn’t actually work on DC Slave/DC Backups as the Master’s OpenLDAP is the only writable one in a domain (the OpenLDAP structure is a classical single master/multiple slaves structure with the Master’s OpenLDAP being the master — unlike the Samba LDAPs where all AD DC LDAPs are writable and where bi-directional synchronization takes place).
Rerunning doesn’t help. But before I’ll try a rejoin, I’l do a migration to the MDB backend. Maybe this will help.
The migration doesn’t help.