[389-users] memberOf task problem
Andrey Ivanov
andrey.ivanov at polytechnique.fr
Fri May 22 06:31:19 UTC 2009
Can you show me the result of
/usr/lib64/mozldap/ldapsearch -b
"ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory Manager"
-w - -h ldap uid=jasiii objectClass
It will list all the objectClasses of your entry. If "objectClass: inetUser"
is not present in the result of this search you should, as i said in the
previous message, add this objectClass to all the entries you're going to
manage with memberOf plug-in, smth like:
dn: uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz changetype:
add
objectclass: inetUser
Hope it helps .
2009/5/22 John A. Sullivan III <jsullivan at opensourcedevel.com>
> I'm starting to feel really stupid here - still not working.
>
> I thought the filter must be the problem for sure. I assumed from the
> documentation that no filter meant the task would add the attribute for
> everything that could take a memberOf attribute. I did not realize it
> defaulted to inetuser. So I recreated the task with a filter of
> (objectClass=inetOrgPerson) but it still did not seem to work.
>
> I thought perhaps I was doing ldapmodify wrong (enter the parameters,
> double enter, then CTL D) so I edited the fixup-memberof.pl script
> according to Rich's instructions. It ran without error (by the way, it
> reflects the admin password when using -w - !!!). But still no success.
>
> Perhaps I am checking incorrectly. I did not expect to see memberOf
> listed as an attribute in the advanced console screen for the user since
> it is a managed attribute. But I did try to view it with an ldapsearch:
It should be visible as an attribute you can add (provided your entry has
"objectClass: inetUser")
>
>
> /usr/lib64/mozldap/ldapsearch -b
> "ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory
> Manager" -w - -h ldap uid=jasiii memberOf
>
> Is this how I would check for success?
>
> There is nothing suspicious in the error log. I do have the audit log
> enabled. I see the creation and automatic deletion of the task but I do
> not see any changes to objects to add and populate the memberOf
> attribute. I'll paste in some excerpts below.
>
> What next? Thanks - John
>
> time: 20090520221132
> dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
> changetype: add
> objectClass: top
> objectClass: extensibleObject
> cn: fixMemberOf
> basedn: o=Internal,dc=ssiservices,dc=biz
> creatorsName: cn=xxxx
> modifiersName: cn=xxx
> createTimestamp: 20090521021132Z
> modifyTimestamp: 20090521021132Z
>
> time: 20090520221333
> dn: cn=fixmemberof,cn=memberof task,cn=tasks,cn=config
> changetype: delete
> modifiersname: cn=server,cn=plugins,cn=config
>
> time: 20090520222242
> dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
> changetype: add
> objectClass: top
> objectClass: extensibleObject
> cn: fixMemberOf
> basedn: ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz
> creatorsName: cn=xxxx
> modifiersName: cn=xxxx
> createTimestamp: 20090521022242Z
> modifyTimestamp: 20090521022242Z
>
> time: 20090520222442
> dn: cn=fixmemberof,cn=memberof task,cn=tasks,cn=config
> changetype: delete
> modifiersname: cn=server,cn=plugins,cn=config
>
> .
> .
> .
> time: 20090521183523
> dn: cn=memberOf_fixup_2009_5_21_18_35_23, cn=memberOf task, cn=tasks,
> cn=config
> changetype: add
> objectClass: top
> objectClass: extensibleObject
> cn: memberOf_fixup_2009_5_21_18_35_23
> basedn: o=Internal,dc=ssiservices,dc=biz
> filter: (objectClass=inetOrgPerson)
> creatorsName: cn=xxxx
> modifiersName: cn=xxxx
> createTimestamp: 20090521223523Z
> modifyTimestamp: 20090521223523Z
>
> time: 20090521183724
> dn: cn=memberof_fixup_2009_5_21_18_35_23,cn=memberof
> task,cn=tasks,cn=config
> changetype: delete
> modifiersname: cn=server,cn=plugins,cn=config
>
> time: 20090521185804
> dn:
> cn=general,ou=1.1,ou=console,ou=cn=xxxxx,ou=userpreferences,ou=
> ssiservices.biz,o=netscaperoot
> changetype: modify
> replace: nsPreference
> nsPreference::
> IwojVGh1IE1heSAyMSAxODo1ODowNSBFRFQgMjAwOQpXaWR0aD0xMjgwClNob3
>
> dTdGF0dXNCYXI9dHJ1ZQpTaG93QmFubmVyQmFyPXRydWUKWT0wCkhlaWdodD03NjkKWD0wCg==
> -
> replace: modifiersname
> modifiersname: cn=xxxxx
> -
> replace: modifytimestamp
> modifytimestamp: 20090521225804Z
> -
>
> On Thu, 2009-05-21 at 15:59 +0200, Andrey Ivanov wrote:
> >
> >
> > 2009/5/21 John A. Sullivan III <jsullivan at opensourcedevel.com>
> > Thank you, Andrey. I did do an updatedb and then locate - no
> > fixup-member0f.pl - just template.fixup-memberOf.pl :-(
> > It is very strange. Normally during the server installation the
> > template should be converted to the "normal" perl script.
> >
> > Have you verified the configuration of the memberOf plugin, especially
> > the arguments/attributes "memberofgroupattr" and "memberofattr" ?
> >
> >
> >
> >
> >
> >
> > Unless I'm missing something, you're ldapmodify looks just
> > like mine
> > except for the cn (I believe the documentation says it can be
> > called
> > anything) and I did not use a filter (again, I believe the
> > documentation
> > says it is optional and our dit is still rather small).
> > If you do not put the filter into the ldif then the default filter is
> > used : "(objectClass=inetuser)". Do all your user entries include this
> > objectClass (inetuser)? If not, you should add this objectClass to all
> > the entries where you want the memberOf attribute to appear.
> >
> >
> >
> >
> > I did create a new group and add myself to it as you suggested
> > (thank
> > you). Surprisingly, it did not appear to work. I did not see
> > a
> > memberOf attribute populated for me. I then thought I would
> > see if I
> > need to manually add that attribute to each user (I hope not!)
> > and I did
> > not see memberOf as an attribute I could add to my user
> > object.
> >
> > No. You should not add it manually, the memberOf attribute is
> > maintained automatically based on the group membership.
> >
> > Do you see any message in error log? There should be something about
> > the impossibility to write the memberof attribute i think.
> > If you cannot add this attribute manually to your entry it means that
> > your entry does not containe "objectClass: inetuser". Add this
> > objectClass to all the entries that should be "managed" by the plug-in
> > to allow the attribute memberOf to be written to that entries.
> >
> >
> >
> >
> > I have verified that the plugin is defined in dse.ldif and it
> > is
> > enabled. I also see memberOf defined in 20subscriber.ldif and
> > did not
> > see anything in the documentation about needing to extend the
> > schema.
> > No, you don't need to extend the schema but you need to make sure that
> > your entries include the objectClass "inetuser":
> >
> > objectClasses: ( 2.16.840.1.113730.3.2.130 NAME 'inetUser' DESC
> > 'Auxiliary class which must be present in an entry for delivery of
> > subscriber services' SUP top AUXILIARY MAY ( uid $ inetUserStatus $
> > inetUserHTTPURL $ userPassword $ memberOf ) X-ORIGIN 'Netscape
> > subscriber interoperability' )
> >
> >
> >
> >
> >
> > So, at this point, I am still at a loss for what I did wrong.
> > What do I
> > check next? Thanks - John
> > Try to add the "objectClass: inetuser" to the entries concerned and
> > take a closer look to the "errors" log file.
> >
> > @+
> >
> >
> >
> >
> >
> > On Thu, 2009-05-21 at 12:59 +0200, Andrey Ivanov wrote:
> > > Hi,
> > >
> > > there are two things to be verified and/or taken into
> > account:
> > > * the pair of the attributes that is maintained (the
> > arguments
> > > "memberofgroupattr" and "memberofattr" of the plug-in)
> > > * presence of these two attributes in the classes of your
> > users and
> > > groups
> > >
> > > To find fixup-memberof.pl try "locate fixup-memberof.pl".
> > >
> > > To launch it manually you need to add something like that
> > to the
> > > server (with ldapmodify) :
> > > dn: cn=memberOf_fixup_2009_5_21_12_39_21, cn=memberOf task,
> > cn=tasks,
> > > cn=config
> > > changetype: add
> > > objectclass: top
> > > objectclass: extensibleObject
> > > cn: memberOf_fixup_2009_5_21_12_39_21
> > > basedn: dc=example,dc=com
> > > filter: (objectClass=inetOrgPerson)
> > >
> > >
> > > As for your account, you may remove/add yourself from a
> > group to see
> > > if it changes the memberof attribute. Verify the objectClass
> > of your
> > > entry and make sure the attribute memberOf is an optional
> > attribute of
> > > at least one of these objectClasses...
> > >
> > >
> > >
> > > 2009/5/21 John A. Sullivan III
> > <jsullivan at opensourcedevel.com>
> > > Hello, all. We are in the process of upgrading from
> > 8.0 to
> > > 8.1. We've
> > > hit a few glitches along the way but most has gone
> > well.
> > > However, we
> > > wanted to implement the new memberOf functionality.
> > We
> > > successfully
> > > added the plugin by editing dse.ldif and enabled it
> > from the
> > > console.
> > > However, we've been unsuccessful in having existing
> > group
> > > membership
> > > assigned to the memberOf attribute.
> > >
> > > We first tried to run fixup-memberOf.pl but the
> > script does
> > > not exist.
> > > There is a template.fixup-memberOf.pl but this does
> > not seem
> > > to have
> > > been built into a final script.
> > >
> > > We then thought we would use the new task feature of
> > the
> > > console. We
> > > went to cn=memberof task,cn=tasks,cn=config and
> > tried to
> > > create the task
> > > object. There was no nsDirectoryServerTask
> > objectclass. We
> > > added an
> > > nstask but then found there was no basedn attribute
> > we could
> > > add. We
> > > then created an extensibleobject instead but still
> > not basedn
> > > attribute.
> > >
> > > Finally, we resorted to ldapmodify (we hesitated
> > just because
> > > we are not
> > > very familiar with the command line tools). First,
> > we did:
> > >
> > > dn: cn=fixMemberOf,cn=memberof
> > task,cn=tasks,cn=config
> > > changetype: add
> > > objectclass: top
> > > objectclass: extensibleObject
> > > cn: fixMemberOf
> > > basedn: o=Internal,dc=ssiservices,dc=biz
> > >
> > > The Internal Organization has several organizations
> > under it
> > > (for
> > > various clients) and then user organizational units
> > under
> > > those
> > > organizations. Although it generated no errors, it
> > did not
> > > seem to
> > > work. Perhaps I just don't know how to test it.
> > However, the
> > > following
> > > did not return an memberOf data:
> > >
> > > /usr/lib64/mozldap/ldapsearch -b
> > >
> > "ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D
> > > "cn=Directory
> > > Manager" -w - -h ldap uid=myid memberOf
> > >
> > > Doing /usr/lib64/mozldap/ldapsearch -b
> > >
> > "ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D
> > > "cn=Directory
> > > Manager" -w - -h ldap uid=myid
> > > showed me plenty of attributes but nothing for
> > memberOf
> > >
> > > I also tried creating the task with a basedn of
> > > ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz
> > in case it
> > > did not
> > > change objects lower in the tree. Still no success.
> > >
> > > Finally I tried:
> > >
> > > dn: cn=fixMemberOf,cn=memberof
> > task,cn=tasks,cn=config
> > > changetype: add
> > > objectclass: top
> > > objectclass: nsDirectoryServerTask
> > > cn: fixMemberOf
> > > basedn: o=Internal,dc=ssiservices,dc=biz
> > >
> > > adding new entry cn=fixMemberOf,cn=memberof
> > > task,cn=tasks,cn=config
> > > ldap_add: Object class violation
> > > ldap_add: additional info: unknown object class
> > > "nsDirectoryServerTask"
> > >
> > > And received the expected unknown object class
> > error.
> > >
> > > What are we doing wrong? Are these documentation
> > bugs? Are
> > > there
> > > application bugs or do we simply not know what we
> > are doing
> > > with tasks
> > > and memberOf? How do we get the memberOf information
> > into our
> > > existing
> > > user objects? Thanks - John
> > >
> > >
> > > --
> > > John A. Sullivan III
> > > Open Source Development Corporation
> > > +1 207-985-7880
> > > jsullivan at opensourcedevel.com
> > >
> > > http://www.spiritualoutreach.com
> > > Making Christianity intelligible to secular society
> > >
> > > --
> > > Fedora-directory-users mailing list
> > > Fedora-directory-users at redhat.com
> > >
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > >
> > > --
> > > Fedora-directory-users mailing list
> > > Fedora-directory-users at redhat.com
> > >
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> > --
> >
> > John A. Sullivan III
> > Open Source Development Corporation
> > +1 207-985-7880
> > jsullivan at opensourcedevel.com
> >
> > http://www.spiritualoutreach.com
> > Making Christianity intelligible to secular society
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> --
> John A. Sullivan III
> Open Source Development Corporation
> +1 207-985-7880
> jsullivan at opensourcedevel.com
>
> http://www.spiritualoutreach.com
> Making Christianity intelligible to secular society
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20090522/944596bb/attachment.htm>
More information about the Fedora-directory-users
mailing list