On 2/6/26 2:38 PM, Ghiurea, Isabella via 389-users wrote:
Thank you Viktor , here are more details:
ldapsearch -D "cn=directory manager" -w xxxx-b
"ou=Groups,ou=ds,dc=xxxxxxx '(memberOf=*)'
no entries been returned.
That is not exactly what Viktor meant. First, unless its a nested group
it will not have a memberOf attribute. So that filter is basically
breaking the intended search. Use "cn=*" as the filter instead.
In your groups the memberOf plugin will only check if "member" attribute
is set. If your groups use "uniquemember" then you will need to update
the memberOf plugin configuration (memberofgroupattr) and restart the
server. Then run the fixup task.
Secondly, in your "users" you need an objectclass that allows the
"memberOf" attribute. The plugin "should" auto-add an appropriate
objectclass if one is not present, but that could be an issue.
I suspect you are using uniquemember as your membership attribute in
your groups, so you just need to update the plugin config, restart the
server, and run the fixup task.
Regards,
Mark
dsconf -D "cn=Directory Manager" -W slapd-testldap backend index list
userroot | grep member*
dn: cn=member,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
cn: member
dn: cn=memberOf,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
cn: memberOf
dn: cn=memberuid,cn=index,cn=userroot,cn=ldbm
database,cn=plugins,cn=config
cn: memberuid
dn: cn=uniquemember,cn=index,cn=userroot,cn=ldbm
database,cn=plugins,cn=config
cn: uniquemember
####### See the memberof difference in version 1.2 with version 3.1
for memberofgroupattr is this the case ?
dn: cn=MemberOf Plugin,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: MemberOf Plugin
nsslapd-pluginPath: libmemberof-plugin
nsslapd-pluginInitfunc: memberof_postop_init
nsslapd-pluginType: betxnpostoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
memberofgroupattr: member
memberofattr: memberOf
nsslapd-pluginId: memberof
nsslapd-pluginVersion: 3.1.3
nsslapd-pluginVendor: 389 Project
################
dn: cn=MemberOf Plugin,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: MemberOf Plugin
nsslapd-pluginPath: libmemberof-plugin
nsslapd-pluginInitfunc: memberof_postop_init
nsslapd-pluginType: betxnpostoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
memberofgroupattr: uniquemember
memberofattr: memberOf
nsslapd-pluginId: memberof
nsslapd-pluginVersion: 1.3.10.2
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
And last question the memberof fixup scripts runs to fast /or not at
all but no errors.
dsconf --verbose testldap plugin memberof fixup-status
Task: cn=memberOf_fixup_2026-02-06T11:19:50.854371,cn=memberOf
task,cn=tasks,cn=config
INFO:
--------------------------------------------------------------------------------
INFO: - Base DN: dc=xxxx
INFO: - Status: Memberof task finished (processed 45844
entries in 6 seconds)
INFO: - Started: Fri Feb 6 19:19:50 2026 (20260206191950Z)
INFO: - Ended: Fri Feb 6 19:19:57 2026 (20260206191957Z)
INFO: - Elapsed Time: 0:00:07
INFO: - Exit Code: 0
**Thank you!!!
------------------------------------------------------------------------
*From:* Viktor Ashirov <[email protected]>
*Sent:* Friday, February 6, 2026 3:21:43 AM
*To:* General discussion list for the 389 Directory server project.
*Cc:* Ghiurea, Isabella
*Subject:* [EXTERNAL\EXTERNE:] Re: [389-users] memberof entries not
displayed in uid ( version 3.1)
****Attention*** This email originated from outside of the NRC.
***Attention*** Ce courriel provient de l'extérieur du CNRC.*
Hi,
On Fri, Feb 6, 2026 at 4:33 AM Ghiurea, Isabella via 389-users
<[email protected]> wrote:
Hi List,
I 'm testing DS migration from 389-DS 1.2.3 to 389-DS 3.1
RH9 with memberof plugin been enable when checking for users the
entries for memberof are missing. for each uid.
Are any cfg params in dse.ldif which may stop from displaying the
memberof entries ?
See details :
# 8211065Users, ds, xxxx
dn: uid=8211065,ou=Users,ou=ds,dc=xxxxx
userPassword:: e1NTSEF9K25kcXZ
= Missing memberOf entries
In old 389-DS version 1.2.3 I have for same uid
dn: uid=8211065ou=Users,ou=ds,dc=xxxx
****memberOf: cn=xxxx,ou=Groups,ou=ds,dc=xxxxxxx >>> mssing for
each uid in 389-DS version 3.1
****memberOf: cn=xxxx-users,ou=Groups,ou=ds,dc=cxxxx >>>same
#######################################
DS version 3.1 errorlog
dsconf slapd-testldap plugin memberof fixup "dc=xxx,dc=xxx"
dsconf slapd-testldap plugin memberof fixup-status
INFO - memberof-plugin - memberof_fixup_task_thread - Memberof
task starts (filter:
"(|(objectclass=inetuser)(objectclass=inetadmin)(objectclass=nsmemberof))")
...
[05/Feb/2026:18:44:51.265924012 -0800] - INFO - memberof-plugin -
memberof_fixup_task_thread - Memberof task finished (processed
45844 entries in 5 seconds)
######################################################
dsconf slapd-testldap plugin memberof show
dn: cn=MemberOf Plugin,cn=plugins,cn=config
cn: MemberOf Plugin
memberofattr: memberOf
memberofgroupattr: member
What does your group entry look like? Do you have objectclass that
supports the `member` attribute?
Thanks.
nsslapd-plugin-depends-on-type: database
nsslapd-pluginDescription: memberof plugin
nsslapd-pluginEnabled: on
nsslapd-pluginId: memberof
nsslapd-pluginInitfunc: memberof_postop_init
nsslapd-pluginPath: libmemberof-plugin
nsslapd-pluginType: betxnpostoperation
nsslapd-pluginVendor: 389 Project
nsslapd-pluginVersion: 3.1.3
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
Thank you
Isabella
--
_______________________________________________
389-users mailing list -- [email protected]
To unsubscribe send an email to
[email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://forge.fedoraproject.org/infra/tickets/issues/new
--
Viktor
--
Identity Management Development Team
--
_______________________________________________
389-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://forge.fedoraproject.org/infra/tickets/issues/new
