Univention Corporate Server (UCS) » LDAP server and Listener/Notifier replication

ID #1278

memberOf attribute: Group memberships of user and computer objects

Problem:
Produktlogo UCS Version 4.0

Group memberships are noted in the directory service as a preset on the group objects.For it also to be possible to find them via the memberOf attribute on the members? objects themselves, the overlay "memberOf? must be enabled.

Solution:

The memberOf overlay module is installed with the LDAP server package (slapd) as standard. However, the overlay is only loaded if the configuration and schema are enabled by installation of the univention-ldap-overlay-memberof package (for this, the system must be updated to at least Version 3.0-2).The consequence of this is:

  1. univention-ldap-overlay-memberof must be installed on all the other UCS system with an OpenLDAP server (Slaves & Backups) in the domains before it is installed on the UCS Master.
  2. New UCS Backups and Slaves) cannot be installed with a subsequent automatic join, as a failed.ldif is created immediately due to the missing schema for the memberOf attributes in the LDAP directory.

New UCS Backups and Slaves must therefore always be installed without a subsequent join:

  1. "univention-ldap-overlay-memberof" must then be subsequently installed manually
    • -> univention-install univention-ldap-overlay-memberof
  2. only then can the system be joined.
    • -> univention-join

Alternatively, an automated or profile-based installation can be choosen and "univention-ldap-overlay-memberof" can be added as a required package there.

When univention-ldap-overlay-memberof is installed, the memberOf overlay module is enabled automatically.

The overlay module can be set using the variables "ldap/overlay/memberof=true/false" and "ldap/overlay/memberof/*". The memberOf attribute is then set automatically when new users/groups are created.To set the attribute for existing users, the script "/usr/share/univention-ldap-overlay-memberof/univention-update-memberof" must be run once on the UCS Master. As a dynamic attribute, memberOf is only displayed when explicitly requested, e.g.:

-> univention-ldapsearch  '(uid=*)' memberOf

In addition, it can only be used in search filters in combination with static attributes such as "(objectclass=top)".For this reason, we recommend performing the installation in a test environment first (at least Master & Slave).

Please note: If you installed "univention-ldap-overlay-memberof" on UCS 3.x, anonymous read acces to the OpenLDAP directory was granted to the IP address of your system. Since UCS 4.0 this is not necessary anymore and can be removed via:

ucr unset ldap/acl/read/ips

Futher Documentation:

Tags: -

Related entries:

Last update: 2017-03-30 10:50
Author: Tim Petersen
Revision: 1.3

Digg it! Share on Facebook Print this record Send FAQ to a friend Show this as PDF file
Please rate this FAQ:

Average rating: 0 (0 Votes)

completely useless 1 2 3 4 5 most valuable

You cannot comment on this entry