Re: memberof plugin unreliable?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On Aug 12, 2013, at 2:26 PM, Morgan Jones <morgan@xxxxxxxxxxxxxxx> wrote:



I have a client running CentOS directory 8.2.8, CentOS 5.  We have a two multi-masters with two read-only replicas.

We enabled the memberof plugin and it shows group memberships unreliably at best.  Is this a known issue or I am perhaps missing something?  

For example:

ldapsearch -x -w pass  -H ldaps://devldapm01.domain.net -D cn=directory\ manager -LLLb ou=groups,dc=domain,dc=org  cn=orgfulladminaccess
dn: cn=orgfulladminaccess,ou=groups,dc=domain,dc=org
uniqueMember: uid=rfw,ou=employees,dc=domain,dc=org
uniqueMember: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
uniqueMember: uid=sathomas,ou=employees,dc=domain,dc=org
uniqueMember: uid=rbateman,ou=employees,dc=domain,dc=org
uniqueMember: uid=kacless,ou=employees,dc=domain,dc=org
uniqueMember: uid=selectivesync,ou=employees,dc=domain,dc=org
uniqueMember: uid=cverrill,ou=employees,dc=domain,dc=org
uniqueMember: uid=morgan,ou=employees,dc=domain,dc=org
uniqueMember: uid=fullAdminAccessUser,ou=people,dc=domain,dc=org
objectClass: top
objectClass: groupofuniquenames
description: Group with full administrator access.
cn: orgFullAdminAccess

anderson:~ morgan$



Notice that just two users are returned when I search for memberof=cn=orgfulladminaccess...

anderson:~ morgan$ ldapsearch -x -w pass  -H ldaps://devldap01.domain.net -D cn=directory\ manager -LLLb dc=domain,dc=org  memberof=cn=orgfulladminaccess,ou=groups,dc=domain,dc=org dn
dn: uid=kacless,ou=employees,dc=domain,dc=org

dn: uid=morgan,ou=employees,dc=domain,dc=org

anderson:~ morgan$ ldapsearch -x -w pass  -H ldaps://devldapm01.domain.net -D cn=directory\ manager -LLLb dc=domain,dc=org  memberof=cn=orgfulladminaccess,ou=groups,dc=domain,dc=org dn
dn: uid=kacless,ou=employees,dc=domain,dc=org

dn: uid=morgan,ou=employees,dc=domain,dc=org


I did consider this possibility but I struggle to believe that I have to set up partial replication throughout just to get memberof working:

http://www.redhat.com/archives/fedora-directory-users/2009-November/msg00058.html



Here's the config on all four hosts;

Masters:

anderson:~ morgan$ ldapsearch -x -w pass  -H ldaps://devldapm01.domain.net -D cn=directory\ manager -LLLb cn=config cn=memberof\ plugin
dn: cn=MemberOf Plugin,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: MemberOf Plugin
nsslapd-pluginPath: libmemberof-plugin
nsslapd-pluginInitfunc: memberof_postop_init
nsslapd-pluginType: postoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
memberofgroupattr: uniqueMember
memberofattr: memberOf
nsslapd-pluginId: memberof
nsslapd-pluginVersion: 8.2.8
nsslapd-pluginVendor: CentOS
nsslapd-pluginDescription: memberof plugin

anderson:~ morgan$ ldapsearch -x -w pass  -H ldaps://devldapm02.domain.net -D cn=directory\ manager -LLLb cn=config cn=memberof\ plugin
dn: cn=MemberOf Plugin,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: MemberOf Plugin
nsslapd-pluginPath: libmemberof-plugin
nsslapd-pluginInitfunc: memberof_postop_init
nsslapd-pluginType: postoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
memberofgroupattr: uniqueMember
memberofattr: memberOf
nsslapd-pluginId: memberof
nsslapd-pluginVersion: 8.2.8
nsslapd-pluginVendor: CentOS
nsslapd-pluginDescription: memberof plugin

anderson:~ morgan$


read-only consumers:

anderson:~ morgan$ ldapsearch -x -w pass  -H ldaps://devldap01.domain.net -D cn=directory\ manager -LLLb cn=config cn=memberof\ plugin
dn: cn=MemberOf Plugin,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: MemberOf Plugin
nsslapd-pluginPath: libmemberof-plugin
nsslapd-pluginInitfunc: memberof_postop_init
nsslapd-pluginType: postoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
memberofgroupattr: uniquemember
memberofattr: memberOf
nsslapd-pluginId: memberof
nsslapd-pluginVersion: 8.2.8
nsslapd-pluginVendor: CentOS
nsslapd-pluginDescription: memberof plugin

anderson:~ morgan$ ldapsearch -x -w pass  -H ldaps://devldap02.domain.net -D cn=directory\ manager -LLLb cn=config cn=memberof\ plugin
dn: cn=MemberOf Plugin,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: MemberOf Plugin
nsslapd-pluginPath: libmemberof-plugin
nsslapd-pluginInitfunc: memberof_postop_init
nsslapd-pluginType: postoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
memberofgroupattr: uniquemember
memberofattr: memberOf
nsslapd-pluginId: memberof
nsslapd-pluginVersion: 8.2.8
nsslapd-pluginVendor: CentOS
nsslapd-pluginDescription: memberof plugin

anderson:~ morgan$


thanks,

-morgan

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

I am almost positive that fractional replication is required for that plugin. 

Anything in logs about unwilling to perform?

The whole "unreliable at best" comment makes me think the new entries will work but not existing. Is this true?

For existing entries, did you run the fix-up task mentioned in the link below?

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux