Re: [389-users] memberof plugin not working as expected

Tue, 15 Jul 2014 17:16:33 -0700 

Alberto,

Alberto Viana wrote:

Noriko,
Changing that config, if I remove and add again the user in a group worked....but the fixup-memberof.pl <http://fixup-memberof.pl> didn't. 
I'm not sure why.  The fix=memberof.pl is supposed to do the following task.
 * 1. Remove all present memberOf values
 * 2. Add direct group membership memberOf values
 * 3. Add indirect group membership memberOf values
The default filter the utility uses is "(|(objectclass=inetuser)(objectclass=inetadmin))".
If you run ldapsearch -x -D "cn=Directory Manager" -w - -b "OU=my,dc=mydc,dc=local" "(|(objectclass=inetuser)(objectclass=inetadmin))", what does the command line return? 



Is there any easy way to update this info on all users?


Another question:

Should I always change this parameter?

As long as your group entry is groupofuniquenames, yes, you need to.
I'm asking that because I'm planning to update my 389 to a newer version (due to a db2bak.pl <http://db2bak.pl> problem that was fixed in this newer version) 


Alberto Viana
On Thu, Jul 10, 2014 at 5:16 PM, Noriko Hosoi <[email protected] <mailto:[email protected]>> wrote: 

    Alberto,

    Alberto Viana wrote:

    Noriko,

    dn: uid=alberto.viana,ou=IT,dc=mydc,dc=local
    objectClass: top
    objectClass: person
    objectClass: organizationalperson
    objectClass: inetOrgPerson
    objectClass: ntUser
    objectClass: eduPerson
    objectClass: brPerson
    objectClass: schacPersonalCharacteristics
    objectClass: pwmUser
    objectClass: inetuser
    ntUserLastLogoff: 0
    ntUserDeleteAccount: true
    uid: alberto.viana
    sn: Viana
    givenName: Alberto
    cn: Alberto Viana


    dn: cn=GRP_SRV_WIKI_CONFLUENCE,OU=GROUPS,dc=mydc,dc=local
    *uniqueMember: uid=alberto.viana,ou=IT,dc=mydc,dc=local*
    objectClass: top
    objectClass: groupofuniquenames
    objectClass: ntGroup
    ntGroupDeleteGroup: true
    cn: GRP_SRV_WIKI_CONFLUENCE
    ntUserDomainId: GRP_SRV_WIKI_CONFLUENCE

    Could you try again after replacing the memberofgroupattr value
    member with uniqueMember?


    Here's my plugin config:
    # MemberOf Plugin, plugins, config
    dn: cn=MemberOf Plugin,cn=plugins,cn=config
    objectClass: top
    objectClass: nsSlapdPlugin
    objectClass: extensibleObject
    cn: MemberOf Plugin
    nsslapd-pluginPath: libmemberof-plugin
    nsslapd-pluginInitfunc: memberof_postop_init
    nsslapd-pluginType: betxnpostoperation
    nsslapd-pluginEnabled: on
    nsslapd-plugin-depends-on-type: database
    memberofgroupattr: *member*
    memberofattr: memberOf
    nsslapd-pluginId: memberof
    nsslapd-pluginVersion: 1.3.2.13
    nsslapd-pluginVendor: 389 Project
    nsslapd-pluginDescription: memberof plugin







    If you need something else, just let me know.



    On Thu, Jul 10, 2014 at 4:54 PM, Noriko Hosoi <[email protected]
    <mailto:[email protected]>> wrote:

        Alberto,

        Alberto Viana wrote:

        Noriko,

        Just to let you know that was a totally fresh instalation
        and I imported my userRoot database, so I dont think so.

        It was a question from Mark :), but thanks for your
        response.  So, you don't get any particular errors or
        warnings in your error log...  Would you mind sharing a
        typical user and a group entry?  Of course you could cleanse
        the "name" part.



        Here's my plugin config:
        # MemberOf Plugin, plugins, config
        dn: cn=MemberOf Plugin,cn=plugins,cn=config
        objectClass: top
        objectClass: nsSlapdPlugin
        objectClass: extensibleObject
        cn: MemberOf Plugin
        nsslapd-pluginPath: libmemberof-plugin
        nsslapd-pluginInitfunc: memberof_postop_init
        nsslapd-pluginType: betxnpostoperation
        nsslapd-pluginEnabled: on
        nsslapd-plugin-depends-on-type: database
        memberofgroupattr: member
        memberofattr: memberOf
        nsslapd-pluginId: memberof
        nsslapd-pluginVersion: 1.3.2.13
        nsslapd-pluginVendor: 389 Project
        nsslapd-pluginDescription: memberof plugin


        I have 2 389DS with this version (replication enabled), the
        same behavior in both.

        Thanks



        On Thu, Jul 10, 2014 at 4:29 PM, Mark Reynolds
        <[email protected] <mailto:[email protected]>> wrote:


            On 07/10/2014 02:35 PM, Alberto Viana wrote:

            Noriko,

            =====================
            # fixup-memberof.pl <http://fixup-memberof.pl> -D
            "cn=Directory Manager" -w - -b "OU=my,dc=mydc,dc=local"
            Bind Password:
            Successfully added task entry
            "cn=memberOf_fixup_2014_7_10_15_25_29, cn=memberOf
            task, cn=tasks, cn=config"
            =====================

            It Removed all memberof entries for my user...is the
            expected behavior?

            Even if remove the user from a group and add it again,
            its not working.

            Thanks

            Can you verify your memberOf settings are still
            correct(memberofgroupattr, etc)?  Maybe something got
            overwritten during the upgrade?







            On Thu, Jul 10, 2014 at 3:20 PM, Noriko Hosoi
            <[email protected] <mailto:[email protected]>> wrote:

                What happens if you run this utility?
                /usr/lib[64]/dirsrv/slapd-YOURID/fixup-memberof.pl
                <http://fixup-memberof.pl>
                
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Perl_Scripts.html#fixup-memberof.pl

                Then, continue updating your user in a group?
                Thanks,
                --noriko

                Alberto Viana wrote:

                Hi,

                389-Directory/1.3.2.13 <http://1.3.2.13>
                B2014.141.1513

                I recently updated my server to 1.3.2.13 and the
                "memberof" plugin is not working as expected, it's
                not updating my user "memberOf" attribute whe I
                put a user in a group.

                How can I debug it?

                I tried to set my nsslapd-errorlog-level to 65536
                but could not find any useful information.


                Thanks

                Alberto Viana


                --
                389 users mailing list
                [email protected]  
<mailto:[email protected]>
                https://admin.fedoraproject.org/mailman/listinfo/389-users



                --
                389 users mailing list
                [email protected]
                <mailto:[email protected]>
                https://admin.fedoraproject.org/mailman/listinfo/389-users




            --
            389 users mailing list
            [email protected]  
<mailto:[email protected]>
            https://admin.fedoraproject.org/mailman/listinfo/389-users



            --
            389 users mailing list
            [email protected]
            <mailto:[email protected]>
            https://admin.fedoraproject.org/mailman/listinfo/389-users




        --
        389 users mailing list
        [email protected]  
<mailto:[email protected]>
        https://admin.fedoraproject.org/mailman/listinfo/389-users



        --
        389 users mailing list
        [email protected]
        <mailto:[email protected]>
        https://admin.fedoraproject.org/mailman/listinfo/389-users




    --
    389 users mailing list
    [email protected]  
<mailto:[email protected]>
    https://admin.fedoraproject.org/mailman/listinfo/389-users



    --
    389 users mailing list
    [email protected]
    <mailto:[email protected]>
    https://admin.fedoraproject.org/mailman/listinfo/389-users




--
389 users mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-users



--
389 users mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-users

Reply via email to