> Hello, > > I'm very new to [Open]LDAP (openldap-2.2.26-ubuntu2) and I'm trying to > make it work with a simple Java application. > I use the following schemas: > > include /etc/ldap/schema/core.schema > include /etc/ldap/schema/cosine.schema > include /etc/ldap/schema/nis.schema > include /etc/ldap/schema/inetorgperson.schema > include /etc/ldap/schema/java.schema > > and I'm populating it with this: > # Define top-level entry > dn: dc=localdomain > objectClass: dcObject > dc: localdomain > > # Define an entry to contain people > dn: ou=people,dc=localdomain > objectClass: organizationalUnit > ou: people > > # Define a user entry for Pavel > dn: uid=pavel,ou=people,dc=localdomain > objectClass: inetOrgPerson > uid: pavel > sn: J > cn: Pavel J > mail: [EMAIL PROTECTED] > userPassword: secret > > # Define an entry to contain LDAP groups > dn: ou=groups,dc=localdomain > objectClass: organizationalUnit > ou: groups > > # Define an entry for the "users" group > dn: cn=users,ou=groups,dc=localdomain > objectClass: groupOfNames > cn: users > member: uid=pavel,ou=people,dc=localdomain > > # Define an entry for the "role1" group > dn: cn=role1,ou=groups,dc=localdomain > objectClass: groupOfNames > cn: role1 > member: uid=pavel,ou=people,dc=localdomain > > But when I try to get attributes of uid=pavel,ou=people,dc=localdomain > through simple Java program or LDAP Browser > (http://www-unix.mcs.anl.gov/~gawor/ldap/) > or using: > ldapsearch -x -D 'cn=Manager, dc=localdomain' -W -b 'ou=people, > dc=localdomain' uid=pavel > I never get the 'memberOf' attribute[s] back. > > Am I missing something in the configuration? Or is something wrong with > the way I'm querying?
"memberOf" is not part of any standard track schema definition, so it is unlikely that OpenLDAP's slapd can handle it. Moreover, as you're not popupating the directory with values for the memberOf attribute, it is very unlikely that you can find occurrences of it in the data. The directory acts according to the garbage-in garbage-out principle, only it doesn't accept all types of garbage, it requires garbage to comply with schema. If you expect OpenLDAP slapd to implement some automatic update of back-links to group membership you're on the wrong trail. Applications (in this case, those clients that feed the directory) are supposed to maintain them. There has been in the past some activity to implement that in an overlay, so that it is the DSA itself, or rather an embedded client, that maintains that type of consistency; that project hung on the lack of some design issues and on the lack of atomicity in multiple write operations that characterized slapd at that time. I guess LDAP transactions under development for HEAD should solve those isues. You may try to implement your own, or I could try and revitalize that project in my spare time (which might be never based on my current availability of spare time...). p. Ing. Pierangelo Masarati Responsabile Open Solution OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: [EMAIL PROTECTED] ------------------------------------------
