Hi everyone, Thought I would share in case anyone needs or runs into this. Many thanks go out to the freenode #openldap users who helped out.
Since 'memberOf' is a internally built overlay, unless it is specifically specified as a parameter in the query, openldap will not return it. This includes wildcard queries (which some systems, like cisco gear, do). There is a contribution overlay called "allop" that can solve this issue. It lets you define a query scope to trigger, and in those cases it will force all attributes to be returned. See: http://www.openldap.org/faq/data/cache/1258.html http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=tree;f=contrib/slapd-modules/allop;h=1c2b98d21da887f1ac4ff62580f5e39375a351d3;hb=HEAD Hopefully this will help someone in future. Thanks again all and Happy Holidays! :) -Cheers, Peter. ----- Original Message ----- From: "Peter Brunnengräber" <[email protected]> To: [email protected] Sent: Wednesday, December 21, 2011 2:00:14 PM Subject: Re: [Lam-public] Member attribute on user? Hi all, Darin, and Roland Thanks for the input thus far. I am using the memberOf overlay in openldap. I thought it wasn't working, but it was... it just doesn't display with all the attributes of the user. Here is my example: ldapsearch -x -b "dc=example,dc=com" -s sub -D "cn=admin,dc=example,dc=com" -w 1234 '(uid=user1)' # user1, users, example.com dn: uid=user1,ou=users,dc=example,dc=com homeDirectory: /home/user1 loginShell: /bin/false uid: user1 uidNumber: 1001 sn: 1 givenName: user telephoneNumber: 555-1212 objectClass: shadowAccount objectClass: posixAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: ipHost objectClass: radiusprofile cn: user1 radiusClientIPAddress: 10.60.0.23 userPassword:: asdfaOIAEWASFRnh6ZldVOW9uRkFpMmI= shadowLastChange: 15329 radiusFramedIPAddress: 10.60.0.2 radiusFramedIPNetmask: 255.255.255.0 gidNumber: 99 ldapsearch -x -b "dc=example,dc=com" -s sub -D "cn=admin,dc=example,dc=com" -w 1234 '(uid=user1)' memberOf # user1, users, example.com dn: uid=user1,ou=users,dc=example,dc=com memberOf: cn=Hosted-Client-Policy,ou=groups,dc=example,dc=com I realized a bit ago this is an openldap question, and I am happy to take it up there. Just thought since I started the thread I might get some input from everyone. Thanks again! :) -Cheers, Peter. ----- Original Message ----- From: "Darin Perusich" <[email protected]> To: "Peter Brunnengräber" <[email protected]>, [email protected] Sent: Wednesday, December 21, 2011 12:51:30 PM Subject: Re: [Lam-public] Member attribute on user? That is because your group entries, typically, are separate from your user entries. I'm not sure what you mean up a normal ldap search but if you want to search for objects that contain member you could do 'ldapsearch -x -LLL memberof=*'. If you want to assign memberOf attributes to your user entries you need at add the approriate objectClass to said user to add the attributes, which may or may not be a class violation. I'm fairly certain LAM doesn't support this, at least when I was doing this in the past it didn't. On 12/21/2011 12:32 PM, Peter Brunnengräber wrote: > Hi Darin, Indeed... or memberOf. Looks like I didn't get my protein > this morning. After posting I have found some google entries... it > doesn't appear under a normal ldap search for some reason unless > specified, but it does if I specify it in the search. > > Anyone know why that might be? > > Thanks! -Cheers, Peter. > > ----- Original Message ----- From: "Darin Perusich" > <[email protected]> To: [email protected] Sent: > Wednesday, December 21, 2011 11:45:48 AM Subject: Re: [Lam-public] > Member attribute on user? > > Do you mean you want 'member' attribute assigned to your user entry? > > Such as: dn: uid=user1... objectClass: top objectClass: person > objectClass: inetOrgPerson cn: user1 uid: user1 member: group1 > > On 12/21/2011 11:12 AM, Peter Brunnengräber wrote: >> Hello all, I have a question about groups... >> >> When I add someone to a group, how do I have the "member" attribute >> become set for the user? >> >> Thanks! -Cheers, Peter. > ------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev _______________________________________________ Lam-public mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/lam-public ------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev _______________________________________________ Lam-public mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/lam-public
