I'm not very familiar with OpenLDAP, but I'm trying to get a local instance working in order to test a client in development, which needs the memberOf attribute.
I've downloaded and installed OpenLDAP on a Centos 7 VM, per the instructions at http://www.openldap.org/doc/admin24/guide.html#A Quick-Start Guide. I did not use package management to install it. Since I'm using 2.4.45, it's using the cn=config OLC config and not the slapd.conf configuration scheme
At step 4 above, I used the --enable-memberof and --enable-refint flag to the configure script. When I ran the pre-install tests, it did run the memberof tests, and they passed, so I know the overlay can be applied somehow.
I've tried the directions found at https://adimian.com/blog/2014/10/how-to-enable-memberof-using-openldap/ and, with slight variants, many other places. I've run into the following issues with this...
Is this even on the right track? Or will the process be different because I installed from source or used the --enable-memberof flag?
Let me know if there's any info I need to provide.
Update:
Currently, I am trying to add the entry with dn dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config as found in the linked instructions above. I get
# ldapadd -x -D "cn=Manager,dc=aaron,dc=com" -W -f member.ldif
Enter LDAP Password:
adding new entry "olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config"
ldap_add: Insufficient access (50)`
Another update: Progress!
I added an olcRootPW to the cn=config database by editing
etc/slapd.d/cn=config/olcDatabase={0}config.ldif
then used that dn to run the ldapadd:
ldapadd -x -D "cn=config" -W -f member.ldif
I had to put the {0} and {1} back.
Trying to add the first refint ldif failed, but I think I don't need that since these aren't modules, but compiled directly into slapd based on how I configured it.
Now I'm trying to add the second refint entry and getting
[root@openldap openldap]# ldapadd -x -D "cn=config" -W -f refint2.ldif
Enter LDAP Password:
adding new entry "olcOverlay={1}refint,olcDatabase={1}mdb,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
additional info: olcRefintAttribute <manager>: attribute type undefined
So here's everything I had to do to get it working from my original issue:
Add an olcRootPW entry to the olcDatabase={0}config.ldif config entry. As EJP says, this is bad form, but since this is a local testing directory only, and I only want it to allow me to test a client...
Without the {0} and {1} items in the file, the load still failed. I but both back and it worked. I did not go back to check EJP's suggestion to only have the {1}.
Then the ldapadd command needs to be run with bind dn 'cn=config'. At that point the entry to enable the memberof config would add successfully.
I tried to add the first refint file, the one that does the module. This did not work, I got an error about the olcModuleList attribute. I think since I compiled the overlays directly into OpenLDAP via the --enable-memberof and --enable-refint I didn't need this part?
For the second refint file, the one to add the overlay, I just needed to remove the 'manager owner' part of the attributes, since my directory does not have those attributes. At this point the ldif added successfully.
Then I went into the directory and added users, groups, and assigned users to groups, and (once I told it to fetch the operational attributes) lo and behold my users had the appropriate memberOf attributes!