memberOf not part of the operational attributes in 1.5.0

Question

memberOf not part of the operational attributes in 1.5.0

EugenMayer opened this issue 2 years ago · 1 comments

Expected

I'am aware of the mass of older and newer memberOf questions (and issues) and i have looked at most of them (hopefully). As far as i understand and could check in the docker image, memberOf support was added by default and should work oout of the box if the steps i describe in Setup are taken care of.

Setup

one uses a groupOfUniqueNames based group, which id do, see
on is using uniqueMember for member is the group, which i do, see
not sure, but it might be needed to use LDAP_RFC2307BIS_SCHEMA=true, which i tried, see - did not help either

As you can see, i'am using the vanilla image and using a ldif import via the mount here. It is a fairly easy setup to get a provisioned "test ldap" up and running with users, groups and thats about it.

Reproduction

You can reproduce this entire including a test ldap

git clone https://github.com/EugenMayer/docker-image-ldapexample
cd docker-image-ldapexample
docker-compose up -d
ldapsearch -x -H ldap://localhost:20389 -b "dc=kontextwork-test,dc=de" -D"cn=admin,dc=kontextwork-test,dc=de" -w"admin" + | grep memberOf

You should see no output

Background

I would say the setup is fairly vanilla and well documented, we could finally iron out why so many people have struggles. You can see the docs for this image under README.md - admin credentials / port can be seen in the ldapsearch above (and in the readme). You can also check the lidf used

SPOILER: i have this docker image running in production and an older build, both working with memberOf, but the config is based on upgrades from most probably 1.0. This might be the reason they are working.

Answer 1 · 2022-09-11T13:34:58.000Z

After skimming through the issue i found this one little hint with the order .. #304 (comment)

Basically i moved the groups to the very end of the ldif, creating the users before: EugenMayer/docker-image-ldapexample@ef3d71c

This was all there was missing. Of course, that is not very obvious nor easy to spot / understand. So this for sure will cost another peoples time too. That ldif was dumped via ApacheStudio and the order is the order in the tree, and since accounts comes after groups important that ldif will fail for memberOf.

So one has to configure nothing for memberOf to work unless

you want the group the have a different objectClass then groupOfUniqueNames
you want the group to have a different member attirbute then uniqueMember

So you do not need to active LDAP_RFC2307BIS_SCHEMA or add anything else.

Be sure, if you use ldapsearch to either search with + to include operational attributes, or request memberOf specifically.

Not sure we should close this ticket or iron it out the be the standing example / source of the docs what is needed in the current form / 1.5.0.