I'm attempting to enable the memberof plugin in version 1.2.11 on CentOS 6.x. Unfortunately, it don't seem to be able to get the plugin enabled and functioning. With plugin logging enabled, I see other plugins logging their startup and functionality, while I see nothing from the memberof plugin despite having enabled it in the configuration. I've tried a variety of different logging levels and configurations, but it just doesn't seem like the code is firing at all. Can anyone suggest what I might be doing wrong or how to further diagnose the issues? Thanks, Craig -- /Craig/ -- 389 users mailing list 389-users(a)lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users

Mark, Thanks for getting back to me. Hopefully the following will help. [root@62ca40b09276 /]# rpm -qa 389-ds-base 389-ds-base-1.2.11.15-60.el6.x86_64 In case it matters, I'm running CentOS 6.6 inside of Docker: [root@62ca40b09276 /]# uname -a Linux 62ca40b09276 4.0.9-boot2docker #1 SMP Thu Aug 13 03:05:44 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux I'm using the following LDIF entries to enable the plugin: dn: cn=MemberOf Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on - replace: memberofgroupattr memberofgroupattr: uniqueMember - replace: memberofattr memberofattr: memberOf

Even after running the fixup task, I wasn't seeing any updates to the member attributes. I enabled plugin logging and didn't see any entries from the memberof plugin whatsoever, which I found very strange. When I was having issues trying to get the roles plugin working correct, I was at least getting error messages in the logs that helped me troubleshoot. Thanks again, Craig On Tue, Sep 8, 2015 at 1:58 PM, Mark Reynolds <mareynol(a)redhat.com <mailto:mareynol@redhat.com>> wrote: Craig, Full version of 389? rpm -qa | grep 389-ds-base You might need to restart the server after enabling the plugin, but how exactly are you "enabling" the plugin though? ldapmodify? Editing dse.ldif? Can you provide your plugin config entry, and what you are doing where the plugin seems to not be working? Mark On 09/08/2015 01:51 PM, Craig Setera wrote: > I'm attempting to enable the memberof plugin in version 1.2.11 on > CentOS 6.x. Unfortunately, it don't seem to be able to get the > plugin enabled and functioning. With plugin logging enabled, I > see other plugins logging their startup and functionality, while > I see nothing from the memberof plugin despite having enabled it > in the configuration. I've tried a variety of different logging > levels and configurations, but it just doesn't seem like the code > is firing at all. Can anyone suggest what I might be doing wrong > or how to further diagnose the issues? > > Thanks, > Craig > > -- > > /Craig/ > > > -- > 389 users mailing list > 389-users(a)lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> > https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users(a)lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users(a)lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users

I did restart the server. The following is an example of a user entry: dn: uid=craig(a)demo.com <mailto:craig@demo.com>,ou=demo,ou=People,dc=demo,dc=com objectClass: accountPolicy objectClass: inetOrgPerson objectClass: inetUser objectClass: nuxeoUser objectClass: organizationalPerson objectClass: person objectClass: pwmUser objectClass: top cn: Craig Setera sn: Setera givenName: Craig mail: craig(a)demo.com <mailto:craig@demo.com> uid: craig(a)demo.com <mailto:craig@demo.com> Here is an example of a group: dn: cn=administrators,ou=demo,ou=Groups,dc=demo,dc=com objectClass: groupOfUniqueNames objectClass: top cn: administrators uniqueMember: uid=craig(a)demo.com <mailto:craig@demo.com>,ou=demo,ou=People,dc=demo,dc=com The problem that I'm seeing is that having looked at the plugin's source code, I would have expected to at least see this message in the log even if things were misconfigured: slapi_log_error( SLAPI_LOG_TRACE, MEMBEROF_PLUGIN_SUBSYSTEM, "--> memberof_postop_init\n" );

It is almost like the plugin is not being loaded. However, the configuration seems like it should be fine... Thanks again, Craig On Tue, Sep 8, 2015 at 2:12 PM, Mark Reynolds <mareynol(a)redhat.com <mailto:mareynol@redhat.com>> wrote: On 09/08/2015 03:06 PM, Craig Setera wrote: > Mark, > > Thanks for getting back to me. Hopefully the following will help. > > [root@62ca40b09276 /]# rpm -qa 389-ds-base > 389-ds-base-1.2.11.15-60.el6.x86_64 > > In case it matters, I'm running CentOS 6.6 inside of Docker: > > [root@62ca40b09276 /]# uname -a > Linux 62ca40b09276 4.0.9-boot2docker #1 SMP Thu Aug 13 03:05:44 > UTC 2015 x86_64 x86_64 x86_64 GNU/Linux > > I'm using the following LDIF entries to enable the plugin: > > dn: cn=MemberOf Plugin,cn=plugins,cn=config > changetype: modify > replace: nsslapd-pluginEnabled > nsslapd-pluginEnabled: on > - > replace: memberofgroupattr > memberofgroupattr: uniqueMember > - > replace: memberofattr > memberofattr: memberOf > Hi Craig, Did you restart the server after making the above config changes? You need to. Do you have an objectclass present in the member entry that allows the "memberOf" attribute? Like "inetUser". Are you adding a "uniqueMember" attribute to a group(and not the "member" attribute)? Mark -- 389 users mailing list 389-users(a)lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users

It works! I figured out why I wasn't getting logging in the first place and convinced myself the plugin was actually running. What I can't figure out is why it didn't seem to be working before, but now it does seem to be working. Very strange, but clearly operator error of some sort. Can you tell me if the fixup process needs to be run manually on a regular basis or does the plugin "hook" changes once it is up and running? I may have been triggering the fixup process incorrectly if it must be run regularly.

Thanks again for the help and sorry for any confusion. Craig On Tue, Sep 8, 2015 at 2:52 PM, Mark Reynolds <mareynol(a)redhat.com <mailto:mareynol@redhat.com>> wrote: On 09/08/2015 03:31 PM, Craig Setera wrote: > I did restart the server. The following is an example of a user > entry: > > dn: uid=craig(a)demo.com > <mailto:craig@demo.com>,ou=demo,ou=People,dc=demo,dc=com > objectClass: accountPolicy > objectClass: inetOrgPerson > objectClass: inetUser > objectClass: nuxeoUser > objectClass: organizationalPerson > objectClass: person > objectClass: pwmUser > objectClass: top > cn: Craig Setera > sn: Setera > givenName: Craig > mail: craig(a)demo.com <mailto:craig@demo.com> > uid: craig(a)demo.com <mailto:craig@demo.com> > > Here is an example of a group: > > dn: cn=administrators,ou=demo,ou=Groups,dc=demo,dc=com > objectClass: groupOfUniqueNames > objectClass: top > cn: administrators > uniqueMember: uid=craig(a)demo.com > <mailto:craig@demo.com>,ou=demo,ou=People,dc=demo,dc=com > > The problem that I'm seeing is that having looked at the plugin's > source code, I would have expected to at least see this message > in the log even if things were misconfigured: > > slapi_log_error( SLAPI_LOG_TRACE, MEMBEROF_PLUGIN_SUBSYSTEM, > "--> memberof_postop_init\n" ); -- 389 users mailing list 389-users(a)lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users