[389-users] memberof plugin unreliable?

Justin Edmands shockwavecs at gmail.com
Mon Aug 12 18:55:06 UTC 2013 



On Aug 12, 2013, at 2:26 PM, Morgan Jones <morgan at morganjones.org> wrote:

> 
> 
> I have a client running CentOS directory 8.2.8, CentOS 5.  We have a two multi-masters with two read-only replicas.
> 
> We enabled the memberof plugin and it shows group memberships unreliably at best.  Is this a known issue or I am perhaps missing something?  
> 
> For example:
> 
> ldapsearch -x -w pass  -H ldaps://devldapm01.domain.net -D cn=directory\ manager -LLLb ou=groups,dc=domain,dc=org  cn=orgfulladminaccess
> dn: cn=orgfulladminaccess,ou=groups,dc=domain,dc=org
> uniqueMember: uid=rfw,ou=employees,dc=domain,dc=org
> uniqueMember: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
> uniqueMember: uid=sathomas,ou=employees,dc=domain,dc=org
> uniqueMember: uid=rbateman,ou=employees,dc=domain,dc=org
> uniqueMember: uid=kacless,ou=employees,dc=domain,dc=org
> uniqueMember: uid=selectivesync,ou=employees,dc=domain,dc=org
> uniqueMember: uid=cverrill,ou=employees,dc=domain,dc=org
> uniqueMember: uid=morgan,ou=employees,dc=domain,dc=org
> uniqueMember: uid=fullAdminAccessUser,ou=people,dc=domain,dc=org
> objectClass: top
> objectClass: groupofuniquenames
> description: Group with full administrator access.
> cn: orgFullAdminAccess
> 
> anderson:~ morgan$
> 
> 
> 
> Notice that just two users are returned when I search for memberof=cn=orgfulladminaccess...
> 
> anderson:~ morgan$ ldapsearch -x -w pass  -H ldaps://devldap01.domain.net -D cn=directory\ manager -LLLb dc=domain,dc=org  memberof=cn=orgfulladminaccess,ou=groups,dc=domain,dc=org dn
> dn: uid=kacless,ou=employees,dc=domain,dc=org
> 
> dn: uid=morgan,ou=employees,dc=domain,dc=org
> 
> anderson:~ morgan$ ldapsearch -x -w pass  -H ldaps://devldapm01.domain.net -D cn=directory\ manager -LLLb dc=domain,dc=org  memberof=cn=orgfulladminaccess,ou=groups,dc=domain,dc=org dn
> dn: uid=kacless,ou=employees,dc=domain,dc=org
> 
> dn: uid=morgan,ou=employees,dc=domain,dc=org
> 
> 
> I did consider this possibility but I struggle to believe that I have to set up partial replication throughout just to get memberof working:
> 
> http://www.redhat.com/archives/fedora-directory-users/2009-November/msg00058.html
> 
> 
> 
> Here's the config on all four hosts;
> 
> Masters:
> 
> anderson:~ morgan$ ldapsearch -x -w pass  -H ldaps://devldapm01.domain.net -D cn=directory\ manager -LLLb cn=config cn=memberof\ plugin
> dn: cn=MemberOf Plugin,cn=plugins,cn=config
> objectClass: top
> objectClass: nsSlapdPlugin
> objectClass: extensibleObject
> cn: MemberOf Plugin
> nsslapd-pluginPath: libmemberof-plugin
> nsslapd-pluginInitfunc: memberof_postop_init
> nsslapd-pluginType: postoperation
> nsslapd-pluginEnabled: on
> nsslapd-plugin-depends-on-type: database
> memberofgroupattr: uniqueMember
> memberofattr: memberOf
> nsslapd-pluginId: memberof
> nsslapd-pluginVersion: 8.2.8
> nsslapd-pluginVendor: CentOS
> nsslapd-pluginDescription: memberof plugin
> 
> anderson:~ morgan$ ldapsearch -x -w pass  -H ldaps://devldapm02.domain.net -D cn=directory\ manager -LLLb cn=config cn=memberof\ plugin
> dn: cn=MemberOf Plugin,cn=plugins,cn=config
> objectClass: top
> objectClass: nsSlapdPlugin
> objectClass: extensibleObject
> cn: MemberOf Plugin
> nsslapd-pluginPath: libmemberof-plugin
> nsslapd-pluginInitfunc: memberof_postop_init
> nsslapd-pluginType: postoperation
> nsslapd-pluginEnabled: on
> nsslapd-plugin-depends-on-type: database
> memberofgroupattr: uniqueMember
> memberofattr: memberOf
> nsslapd-pluginId: memberof
> nsslapd-pluginVersion: 8.2.8
> nsslapd-pluginVendor: CentOS
> nsslapd-pluginDescription: memberof plugin
> 
> anderson:~ morgan$ 
> 
> 
> read-only consumers:
> 
> anderson:~ morgan$ ldapsearch -x -w pass  -H ldaps://devldap01.domain.net -D cn=directory\ manager -LLLb cn=config cn=memberof\ plugin
> dn: cn=MemberOf Plugin,cn=plugins,cn=config
> objectClass: top
> objectClass: nsSlapdPlugin
> objectClass: extensibleObject
> cn: MemberOf Plugin
> nsslapd-pluginPath: libmemberof-plugin
> nsslapd-pluginInitfunc: memberof_postop_init
> nsslapd-pluginType: postoperation
> nsslapd-pluginEnabled: on
> nsslapd-plugin-depends-on-type: database
> memberofgroupattr: uniquemember
> memberofattr: memberOf
> nsslapd-pluginId: memberof
> nsslapd-pluginVersion: 8.2.8
> nsslapd-pluginVendor: CentOS
> nsslapd-pluginDescription: memberof plugin
> 
> anderson:~ morgan$ ldapsearch -x -w pass  -H ldaps://devldap02.domain.net -D cn=directory\ manager -LLLb cn=config cn=memberof\ plugin
> dn: cn=MemberOf Plugin,cn=plugins,cn=config
> objectClass: top
> objectClass: nsSlapdPlugin
> objectClass: extensibleObject
> cn: MemberOf Plugin
> nsslapd-pluginPath: libmemberof-plugin
> nsslapd-pluginInitfunc: memberof_postop_init
> nsslapd-pluginType: postoperation
> nsslapd-pluginEnabled: on
> nsslapd-plugin-depends-on-type: database
> memberofgroupattr: uniquemember
> memberofattr: memberOf
> nsslapd-pluginId: memberof
> nsslapd-pluginVersion: 8.2.8
> nsslapd-pluginVendor: CentOS
> nsslapd-pluginDescription: memberof plugin
> 
> anderson:~ morgan$ 
> 
> 
> thanks,
> 
> -morgan
> 
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

I am almost positive that fractional replication is required for that plugin. 

Anything in logs about unwilling to perform?

The whole "unreliable at best" comment makes me think the new entries will work but not existing. Is this true?

For existing entries, did you run the fix-up task mentioned in the link below?

http://directory.fedoraproject.org/wiki/MemberOf_Plugin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20130812/6a8418f9/attachment.html>

More information about the 389-users mailing list