Enabling the memberof overlay for openldap

The memberof overlay is great to query if a certain user in an ldap is member of a certain group. However this ldap-module has to be enabled and configured to work with groupOfNames which I’m using instead of posixGroup. Using the dynamic configuration in cn=config this is not self-explanatory.

This is a post from my old blog http://tech.cbjck.de. It has been moved here and slightly edited for better readability. It's also been adjusted to the new layout.
The content however is old and might be outdated.

I’ve found a solution here: http://serverfault.com/questions/73213/how-do-i-configure-reverse-group-membership-maintenance-on-an-openldap-server

First create two ldifs:
memberof_add.ldif to add the module

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: memberof

and memberof_config.ldif to configure the overlay:

dn: olcOverlay=memberof,olcDatabase={1}hdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf

Then import these settings to your ldap

ldapadd -D cn=admin,cn=config -w "password" -H ldapi:/// -f memberof_add.ldif 
ldapadd -D cn=admin,cn=config -w "password" -H ldapi:/// -f memberof_config.ldif

Now you use the memberof overlay to get a list of group members with a filter like this:

(&(objectClass=inetOrgPerson)(memberOf=cn=somegroup,ou=groups,dc=example,dc=net))

Leave a Reply

Your email address will not be published. Required fields are marked *