[bitnami/openldap] Enable overlays

[joshuacox]

Name and Version

bitname/openldap:2.6.6

What is the problem this feature will solve?

The documentation points to adding dynlist like so:

       overlay dynlist
       dynlist-attrset nisMailAlias labeledURI

to slapd.conf However there is no slapd.conf in the bitnami container. as we are using /bitnami/openldap/slapd.d

The documentation points to doing something like this to convert:

slaptest -f /usr/local/etc/openldap/slapd.conf -F /usr/local/etc/openldap/slapd.d

But again I don't have a slapd.conf file to convert, or is there a base file I can use for this purpose? or is there a way to merge in an overlay?

What is the feature you are proposing to solve the problem?

Just an explanation of how to add in an overlay would be fantastic. Potentially adding it to the documentaiton. Or maybe even an environment variable:

LDAP_EXTRA_OVERLAYS=dynlist

I would imagine most would need configuration lines as well, like:

LDAP_EXTRA_OVERLAYS_CONFIG=dynlist-attrset nisMailAlias labeledURI

or something similar.

What alternatives have you considered?

just mapping in a directory and trying to slaptest a config that I might be able to ldifs out of.

docker exec openldap slaptest -f /slaptest/slapd.conf -F /slaptest/slapd.d                                              
overlay "dynlist" not found
/slaptest/slapd.conf: line 1: <overlay> handler exited with 1!
slaptest: bad configuration directory!

with some tweaking I might be able to hack together a solution.

minimal slapd.conf (EDIT: now it works, but I am uncertain what all I need to extract from it)

include /opt/bitnami/openldap/etc/schema/core.schema
include /opt/bitnami/openldap/etc/schema/cosine.schema
include /opt/bitnami/openldap/etc/schema/dyngroup.schema
include /opt/bitnami/openldap/etc/schema/inetorgperson.schema
modulepath /opt/bitnami/openldap/lib/openldap
moduleload dynlist
overlay dynlist
dynlist-attrset groupOfURLs labeledURI member

so now I can get a slapcat:

docker exec openldap slapcat -n0 -F /slaptest/slapd.d

It certainly is a lot of data, should I just be diffing that and slapcat on a slapd.conf of:

include /opt/bitnami/openldap/etc/schema/core.schema
include /opt/bitnami/openldap/etc/schema/cosine.schema
include /opt/bitnami/openldap/etc/schema/inetorgperson.schema

[joshuacox]

so I have successfully turned a few configlines into around 60 ldif lines:

dn: cn=schema,cn=config
cn: schema
objectClass: olcSchemaConfig
olcAttributeTypes: ( 1.2.840.113556.1.2.102 NAME 'memberOf' D
 he entry belongs to' EQUALITY distinguishedNameMatch SYNTAX
 115.121.1.12 NO-USER-MODIFICATION USAGE dSAOperation X-ORIGI
 ted Administrator' )
olcAttributeTypes: ( OLcfgOvAt:8.1 NAME ( 'olcDynListAttrSet'
  DESC 'Dynamic list: <group objectClass>, <URL attributeDesc
  attributeDescription>' EQUALITY caseIgnoreMatch SYNTAX OMsD
 ORDERED 'VALUES' )

dn: cn=schema,cn=config
cn: schema
objectClass: olcSchemaConfig
olcObjectClasses: ( OLcfgOvOc:8.1 NAME ( 'olcDynListConfig' '
  DESC 'Dynamic list configuration' SUP olcOverlayConfig STRU
 ListAttrSet )

dn: cn={4}dyngroup,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {4}dyngroup
olcObjectIdentifier: {0}NetscapeRoot 2.16.840.1.113730
olcObjectIdentifier: {1}NetscapeLDAP NetscapeRoot:3
olcObjectIdentifier: {2}NetscapeLDAPattributeType NetscapeLDA
olcObjectIdentifier: {3}NetscapeLDAPobjectClass NetscapeLDAP:
olcObjectIdentifier: {4}OpenLDAPExp11 1.3.6.1.4.1.4203.666.11
olcObjectIdentifier: {5}DynGroupBase OpenLDAPExp11:8
olcObjectIdentifier: {6}DynGroupAttr DynGroupBase:1
olcObjectIdentifier: {7}DynGroupOC DynGroupBase:2
olcAttributeTypes: {0}( NetscapeLDAPattributeType:198 NAME 'm
 dentifies an URL associated with each member of a group. Any
 URL can be used.' SUP labeledURI )
olcAttributeTypes: {1}( DynGroupAttr:1 NAME 'dgIdentity' DESC
  when processing the memberURL' SUP distinguishedName SINGLE
olcAttributeTypes: {2}( DynGroupAttr:2 NAME 'dgAuthz' DESC 'O
 tion rules that determine who is allowed to assume the dgIde
 uthzMatch SYNTAX 1.3.6.1.4.1.4203.666.2.7 X-ORDERED 'VALUES'
olcAttributeTypes: {3}( DynGroupAttr:3 NAME 'dgMemberOf' DESC
 entry belongs to' EQUALITY distinguishedNameMatch SYNTAX 1.3
 .121.1.12 )
olcObjectClasses: {0}( NetscapeLDAPobjectClass:33 NAME 'group
 TRUCTURAL MUST cn MAY ( memberURL $ businessCategory $ descr
  owner $ seeAlso ) )
olcObjectClasses: {1}( DynGroupOC:1 NAME 'dgIdentityAux' SUP
  ( dgIdentity $ dgAuthz ) )
structuralObjectClass: olcSchemaConfig

dn: olcOverlay={0}dynlist,olcDatabase={-1}frontend,cn=config
objectClass: olcOverlayConfig
objectClass: olcDynListConfig
olcOverlay: {0}dynlist
olcDynListAttrSet: {0}groupOfURLs labeledURI member
olcDynListAttrSet: {1}groupOfURLs memberURL member+memberOf@g
structuralObjectClass: olcDynListConfig

However, placing this in /ldifs does not seem to have the desired effect. And honestly, this seems to be the wrong approach. i.e. to take two lines of very easy to understand config and turn them into some archaic block of 60 lines of ldif. I seem to be handing the next person who looks at these configs a major headache.

[joshuacox]

perhaps it requires to be ran as schema? (EDIT: the structuralObjectClass requires that it be in the schema I believe) appending to /schema/custom.ldif (which had an ldapPublicKey definition in there) and changing the modify to adds

dn: cn=ldapPublicKey,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-lpk-openldap
olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' DES
 C 'MANDATORY: OpenSSH Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.
 1.1466.115.121.1.40 )
olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' DESC
  'MANDATORY: OpenSSH LPK objectclass' SUP top AUXILIARY MUST ( sshPublicKey $
  uid ) )

dn: cn=module,cn=config
cn: module 
objectClass: olcModuleList
olcModulePath: /opt/bitnami/openldap/lib/openldap
olcModuleLoad: memberof
olcModuleLoad: dynlist
olcModuleLoad: refint
olcModuleLoad: argon2

dn: cn=schema,cn=config
cn: schema
objectClass: olcSchemaConfig
olcAttributeTypes: ( 1.2.840.113556.1.2.102 NAME 'memberOf' D
 he entry belongs to' EQUALITY distinguishedNameMatch SYNTAX
 115.121.1.12 NO-USER-MODIFICATION USAGE dSAOperation X-ORIGI
 ted Administrator' )
olcAttributeTypes: ( OLcfgOvAt:8.1 NAME ( 'olcDynListAttrSet'
  DESC 'Dynamic list: <group objectClass>, <URL attributeDesc
  attributeDescription>' EQUALITY caseIgnoreMatch SYNTAX OMsD
 ORDERED 'VALUES' )
olcObjectClasses: ( OLcfgOvOc:8.1 NAME ( 'olcDynListConfig' '
  DESC 'Dynamic list configuration' SUP olcOverlayConfig STRU
 ListAttrSet )

dn: cn={4}dyngroup,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {4}dyngroup
olcObjectIdentifier: {0}NetscapeRoot 2.16.840.1.113730
olcObjectIdentifier: {1}NetscapeLDAP NetscapeRoot:3
olcObjectIdentifier: {2}NetscapeLDAPattributeType NetscapeLDA
olcObjectIdentifier: {3}NetscapeLDAPobjectClass NetscapeLDAP:
olcObjectIdentifier: {4}OpenLDAPExp11 1.3.6.1.4.1.4203.666.11
olcObjectIdentifier: {5}DynGroupBase OpenLDAPExp11:8
olcObjectIdentifier: {6}DynGroupAttr DynGroupBase:1
olcObjectIdentifier: {7}DynGroupOC DynGroupBase:2
olcAttributeTypes: {0}( NetscapeLDAPattributeType:198 NAME 'm
 dentifies an URL associated with each member of a group. Any
 URL can be used.' SUP labeledURI )
olcAttributeTypes: {1}( DynGroupAttr:1 NAME 'dgIdentity' DESC
  when processing the memberURL' SUP distinguishedName SINGLE
olcAttributeTypes: {2}( DynGroupAttr:2 NAME 'dgAuthz' DESC 'O
 tion rules that determine who is allowed to assume the dgIde
 uthzMatch SYNTAX 1.3.6.1.4.1.4203.666.2.7 X-ORDERED 'VALUES'
olcAttributeTypes: {3}( DynGroupAttr:3 NAME 'dgMemberOf' DESC
 entry belongs to' EQUALITY distinguishedNameMatch SYNTAX 1.3
 .121.1.12 )
olcObjectClasses: {0}( NetscapeLDAPobjectClass:33 NAME 'group
 TRUCTURAL MUST cn MAY ( memberURL $ businessCategory $ descr
  owner $ seeAlso ) )
olcObjectClasses: {1}( DynGroupOC:1 NAME 'dgIdentityAux' SUP
  ( dgIdentity $ dgAuthz ) )
structuralObjectClass: olcSchemaConfig

dn: olcOverlay={0}dynlist,olcDatabase={-1}frontend,cn=config
objectClass: olcOverlayConfig
objectClass: olcDynListConfig
olcOverlay: {0}dynlist
olcDynListAttrSet: {0}groupOfURLs labeledURI member
olcDynListAttrSet: {1}groupOfURLs memberURL member+memberOf@g
structuralObjectClass: olcDynListConfig

does not seem to be working either.

[joshuacox]

Minimally I have tried having just two files in /shemas

dn: cn=module,cn=config
cn: module 
objectClass: olcModuleList
olcModulePath: /opt/bitnami/openldap/lib/openldap
olcModuleLoad: dynlist
olcModuleLoad: argon2

and

dn: olcOverlay={0}dynlist,olcDatabase={-1}frontend,cn=config
objectClass: olcOverlayConfig
objectClass: olcDynListConfig
olcOverlay: {0}dynlist
olcDynListAttrSet: {0}groupOfURLs memberURL member+memberOf@groupOfNames

at this point I can cause the openldap instance to crash by requesting a memberof attribute:

docker exec openldap ldapsearch -H ldap://localhost:1389 -x -LLL -s sub -b "dc=example,dc=net" "cn=customuser" uid
dn: cn=customuser,ou=users,dc=example,dc=net
uid: customuser

^returns fine, But this one crashes the server:

docker exec openldap ldapsearch -H ldap://localhost:1389 -x -LLL -s sub -b "dc=example,dc=net" "cn=customuser" uid memberOf
ldap_result: Can't contact LDAP server (-1)

the logs have nothing useful to say about why it died:

6519f2ee.2bb6b2b4 0x7fba23fff700 conn=1003 fd=12 ACCEPT from IP=127.0.0.1:36686 (IP=0.0.0.0:1389)
6519f2ee.2bb70fb4 0x7fba237fe700 conn=1003 op=0 BIND dn="" method=128
6519f2ee.2bb77d0f 0x7fba237fe700 conn=1003 op=0 RESULT tag=97 err=0 qtime=0.000006 etime=0.000037 text=
6519f2ee.2bb8fb7c 0x7fba23fff700 conn=1003 op=1 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(cn=customuser)"
6519f2ee.2bb91cd0 0x7fba23fff700 conn=1003 op=1 SRCH attr=uid
6519f2ee.2bbe22f8 0x7fba23fff700 conn=1003 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000003 etime=0.000356 nentries=1 text=
6519f2ee.2bbe9f18 0x7fba23fff700 conn=1003 op=2 UNBIND
6519f2ee.2bbf2203 0x7fba23fff700 conn=1003 fd=12 closed
6519f2fa.13988926 0x7fba237fe700 conn=1004 fd=12 ACCEPT from IP=127.0.0.1:51926 (IP=0.0.0.0:1389)
6519f2fa.139968ca 0x7fba23fff700 conn=1004 op=0 BIND dn="" method=128
6519f2fa.139a0394 0x7fba23fff700 conn=1004 op=0 RESULT tag=97 err=0 qtime=0.000005 etime=0.000047 text=
6519f2fa.139b1475 0x7fba237fe700 conn=1004 op=1 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(cn=customuser)"
6519f2fa.139b5522 0x7fba237fe700 conn=1004 op=1 SRCH attr=uid memberOf

my docker-compose.yml at this point was:

version: "3"
networks:
  openldapnet:
    external: false
services:
  openldap:
    image: bitnami/openldap:2.6.6
    container_name: openldap
    environment:
      - LDAP_ADMIN_USERNAME=admin
      - LDAP_ADMIN_PASSWORD=admin
      - LDAP_USERS=customuser
      - LDAP_PASSWORDS=custompassword
      - LDAP_ROOT=dc=example,dc=net
      - LDAP_ADMIN_DN=cn=admin,dc=example,dc=net
      - LDAP_CUSTOM_SCHEMA_FILE=/schema/custom.ldif
      - LDAP_CUSTOM_SCHEMA_DIR=/custom_schemas
      - LDAP_EXTRA_SCHEMAS=cosine,dyngroup,inetorgperson,nis
        #- LDAP_EXTRA_SCHEMAS=collective,corba,cosine,dsee,duaconf,dyngroup,inetorgperson,java,misc,namedobject,nis,openldap,pmi
      - BITNAMI_DEBUG=true
      #- LDAP_EXTRA_SCHEMAS=collective,corba,core,cosine,dsee,duaconf,dyngroup,inetorgperson,java,misc,msuser,namedobject,nis,openldap,pmi
    restart: always
    networks:
      - openldapnet
    ports:
      - 389:1389
      - 636:1636
    volumes: 
      - ./openldap_whc/schema:/schema
      - ./openldap_whc/schemas:/custom_schemas
      - ./openldap_whc/ldiff:/ldiff
      - ./openldap_whc/ldifs:/ldifs
        #- ./openldap_data:/bitnami/openldap
      - ./slaptest:/slaptest
      #- ./openldap_whc/schemas:/schemas

  phpldapadmin:
    ports:
      - 80:80
      - 443:443
    container_name: phpldapadmin
    networks:
      - openldapnet
    environment:
      - PHPLDAPADMIN_LDAP_HOSTS=ldap://openldap:1389
    image: osixia/phpldapadmin:0.9.0

[joshuacox]

I have made an example repo for demonstration purposes:

https://github.com/joshuacox/openldap-overlay-dynlist

[jonnoss1]

Hi @joshuacox ,

I recently had a similar requirement to use an overlay, Sync Provider, not enabled OOTB.
After some digging I found the cn=module backend was only created when a supported overlay, pprovider, was enabled.
Following this approach I extended libopenldap.sh to support both Sync Provider and Access Logging overlays.
I've tested a similar extension for the Dynamic Lists overlay that deploys perfectly.

Happy to create a PR for this if that approach would work?

[joshuacox]

@jonnoss1 I'd be very happy to test a PR! tyvm

[jonnoss1]

Hi @joshuacox,

I've pushed the changes here.
You can test by building an image based on the README.md steps then running with the new image and these additional environment options in your above docker-compose.

      - LDAP_ENABLE_DYNLIST=yes
      - LDAP_DYNLIST_ATTRSETS=groupOfURLs labeledURI member,groupOfURLs memberURL memberOf

[joshuacox]

@jonnoss1 awesome on actually implementing the environment variables. However, I do seem to be getting the same crashing situation when I implement:

- LDAP_DYNLIST_ATTRSETS=groupOfURLs memberURL member+memberOf@groupOfNames

which I got directly from the man page man slapo-dynlist

docker exec openldap ldapsearch -H ldap://localhost:1389 -LLL -x -s sub -b "dc=example,dc=net" "cn=customuser" uid memberof
ldap_result: Can't contact LDAP server (-1)

but uid alone returns just fine:

docker exec openldap ldapsearch -H ldap://localhost:1389 -LLL -x -s sub -b "dc=example,dc=net" "cn=customuser" uid
dn: cn=customuser,ou=users,dc=example,dc=net
uid: customuser

[jonnoss1]

Hi @joshuacox ,

What schema are you using to add memberOf ?
I find it in the msuser schema file but get the following error when loading both dyngroup and msuser:

config error processing cn={5}msuser,cn=schema,cn=config: olcAttributeTypes: Duplicate attributeType: "MSADat2:102"

[joshuacox]

I believe I'm getting it by using dyngroup: LDAP_EXTRA_SCHEMAS=cosine,dyngroup,inetorgperson,nis

Here is my full docker-compose.yml:

version: "3"
networks:
  openldapnet:
    external: false
services:
  openldap:
    #image: bitnami/openldap:2.6.6
    image: jonnos/openldap:test 
    container_name: openldap
    environment:
      - LDAP_ADMIN_USERNAME=admin
      - LDAP_ADMIN_PASSWORD=admin
      - LDAP_USERS=customuser
      - LDAP_PASSWORDS=custompassword
      - LDAP_ROOT=dc=example,dc=net
      - LDAP_ADMIN_DN=cn=admin,dc=example,dc=net
      - LDAP_EXTRA_SCHEMAS=cosine,dyngroup,inetorgperson,nis
      - BITNAMI_DEBUG=true
      - LDAP_ENABLE_DYNLIST=yes
      - LDAP_DYNLIST_ATTRSETS=groupOfURLs memberURL member+memberOf@groupOfNames
        # groupOfURLs labeledURI member,groupOfURLs memberURL memberOf
      #- LDAP_CUSTOM_SCHEMA_FILE=/schema/custom.ldif
      #- LDAP_CUSTOM_SCHEMA_DIR=/custom_schemas
      #- LDAP_EXTRA_SCHEMAS=collective,corba,cosine,dsee,duaconf,dyngroup,inetorgperson,java,misc,namedobject,nis,openldap,pmi
      #- LDAP_EXTRA_SCHEMAS=collective,corba,core,cosine,dsee,duaconf,dyngroup,inetorgperson,java,misc,msuser,namedobject,nis,openldap,pmi
    restart: always
    networks:
      - openldapnet
    ports:
      - 389:1389
      - 636:1636
    volumes: 
      #- ./schema:/schema
      #- ./schemas:/schemas
      #- ./ldifs:/ldifs
      - ./slaptest:/slaptest
      #- ./data:/bitnami/openldap

  phpldapadmin:
    ports:
      - 80:80
      - 443:443
    container_name: phpldapadmin
    networks:
      - openldapnet
    environment:
      - PHPLDAPADMIN_LDAP_HOSTS=ldap://openldap:1389
    image: osixia/phpldapadmin:0.9.0

[jonnoss1]

Looks like you also need the memberOf overlay .

Pushed another change earlier today to add support for this.
Using the updated image and these settings,

      - LDAP_EXTRA_SCHEMAS=cosine, inetorgperson, nis, dyngroup
      - LDAP_ENABLE_MEMBEROF=yes
      - LDAP_ENABLE_DYNLIST=yes
      - LDAP_DYNLIST_ATTRSETS=groupOfURLs labeledURI member,groupOfURLs memberURL memberOf

Ldif for dynamic group

dn: cn=dynamicGroup,ou=dynamic,ou=thatstore,dc=source,dc=com
objectClass: groupOfURLs
objectClass: top
cn: dynamicGroup
memberURL: ldap:///ou=people,ou=thatstore,dc=source,dc=com??sub?(objectClass=inetOrgPerson)

I get the following search results:

$ ldapsearch -H ldap://localhost:1389 -LLL -x -s sub -b "dc=source,dc=com" "cn=Joe Soap" uid
dn: cn=Joe Soap,ou=people,ou=thatstore,dc=source,dc=com
uid: Joe.Soap

$ ldapsearch -H ldap://localhost:1389 -LLL -x -s sub -b "dc=source,dc=com" "cn=Joe Soap" uid memberof
dn: cn=Joe Soap,ou=people,ou=thatstore,dc=source,dc=com
uid: Joe.Soap
memberOf: cn=purple,ou=groups,ou=thatstore,dc=source,dc=com
memberOf: cn=black,ou=groups,ou=thatstore,dc=source,dc=com

$ ldapsearch -H ldap://localhost:1389 -LLL -x -s sub -b "dc=source,dc=com" "cn=dynamicGroup" member
dn: cn=dynamicGroup,ou=dynamic,ou=thatstore,dc=source,dc=com
member: cn=Some Body,ou=people,ou=thatstore,dc=source,dc=com
member: cn=Another Dude,ou=people,ou=thatstore,dc=source,dc=com
member: cn=No One,ou=people,ou=thatstore,dc=source,dc=com
member: cn=Joe Soap,ou=people,ou=thatstore,dc=source,dc=com

Not really familiar with the dynlist overlay so can't even guess what the issue is with this ATTRSET groupOfURLs memberURL member+memberOf@groupOfNames

[joshuacox]

Wow, this is fantastic! @jonnoss1 you have done it! Please submit a PR and get this merged in!

EDIT: just adding in my final docker-compose.yml

version: "3"
networks:
  openldapnet:
    external: false
services:
  openldap:
    #image: bitnami/openldap:2.6.6
    image: jonnos/openldap:test 
    container_name: openldap
    environment:
      - LDAP_ADMIN_USERNAME=admin
      - LDAP_ADMIN_PASSWORD=admin
      - LDAP_USERS=customuser
      - LDAP_PASSWORDS=custompassword
      - LDAP_ROOT=dc=example,dc=net
      - LDAP_ADMIN_DN=cn=admin,dc=example,dc=net
      - LDAP_EXTRA_SCHEMAS=cosine,dyngroup,inetorgperson,nis
      - BITNAMI_DEBUG=true
      - LDAP_ENABLE_DYNLIST=yes
      - LDAP_DYNLIST_ATTRSETS=groupOfURLs labeledURI member,groupOfURLs memberURL memberOf
      - LDAP_ENABLE_MEMBEROF=yes
        #- LDAP_DYNLIST_ATTRSETS=groupOfURLs memberURL member+memberOf@groupOfNames
        # groupOfURLs labeledURI member,groupOfURLs memberURL memberOf
      #- LDAP_CUSTOM_SCHEMA_FILE=/schema/custom.ldif
      #- LDAP_CUSTOM_SCHEMA_DIR=/custom_schemas
      #- LDAP_EXTRA_SCHEMAS=collective,corba,cosine,dsee,duaconf,dyngroup,inetorgperson,java,misc,namedobject,nis,openldap,pmi
      #- LDAP_EXTRA_SCHEMAS=collective,corba,core,cosine,dsee,duaconf,dyngroup,inetorgperson,java,misc,msuser,namedobject,nis,openldap,pmi
    restart: always
    networks:
      - openldapnet
    ports:
      - 389:1389
      - 636:1636
    volumes: 
      #- ./schema:/schema
      #- ./schemas:/schemas
      #- ./ldifs:/ldifs
      - ./slaptest:/slaptest
      #- ./data:/bitnami/openldap

  phpldapadmin:
    ports:
      - 80:80
      - 443:443
    container_name: phpldapadmin
    networks:
      - openldapnet
    environment:
      - PHPLDAPADMIN_LDAP_HOSTS=ldap://openldap:1389
    image: osixia/phpldapadmin:0.9.0

[joshuacox]

@jonnoss1 just one slight note, in trying to replicate what you have done here before your PR gets merged, I run into this error:

olcDynListAttrSet: value #0: "dynlist-attrset <oc> [uri] <URL-ad> [[<mapped-ad>:]<member-ad>[+<memberOf-ad>[@<static-oc>[*]] ...]": unable to find AttributeDescription #0 "member,groupOfURLs"

where my schemas directory looks like this:

bat --style header-filename schemas/*
File: schemas/00-modules.ldif
dn: cn=module,cn=config
cn: module 
objectClass: olcModuleList
olcModulePath: /opt/bitnami/openldap/lib/openldap
olcModuleLoad: dynlist
olcModuleLoad: memberof
olcModuleLoad: argon2

File: schemas/01-openssh-lpk_openldap.ldif
dn: cn=ldapPublicKey,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-lpk-openldap
olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' DES
 C 'MANDATORY: OpenSSH Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.
 1.1466.115.121.1.40 )
olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' DESC
  'MANDATORY: OpenSSH LPK objectclass' SUP top AUXILIARY MUST ( sshPublicKey $
  uid ) )

File: schemas/97-memberOf.ldif
dn: olcOverlay=memberof,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcMemberOfConfig
olcOverlay: memberof
olcMemberOfDN: dc=example,dc=net
olcMemberOfDangling: ignore
olcMemberOfDanglingError: 80
olcMemberOfRefInt: FALSE
olcMemberOfGroupOC: groupOfNames 
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf 

File: schemas/98-dynlistconfig.ldif
dn: olcOverlay=dynlist,olcDatabase={-1}frontend,cn=config
objectClass: olcOverlayConfig
objectClass: olcDynListConfig
olcOverlay: dynlist
olcDynListAttrSet: groupOfURLs labeledURI member,groupOfURLs memberURL memberOf

Removing the member,groupOfURLs segment, everything works just fine:

dn: olcOverlay=dynlist,olcDatabase={-1}frontend,cn=config
objectClass: olcOverlayConfig
objectClass: olcDynListConfig
olcOverlay: dynlist
olcDynListAttrSet: groupOfURLs labeledURI memberURL memberOf

docker exec openldap ldapsearch -H ldap://localhost:1389 -LLL -x -s sub -b "dc=example,dc=net" "cn=customuser" uid memberof
dn: cn=customuser,ou=users,dc=example,dc=net
uid: customuser
memberOf: cn=readers,ou=users,dc=example,dc=net

But I am wondering what schema is supplying that member,groupOfURLs? No big deal, as the memberOf is working as intended now. Again TYVM for the help here, and let me know if I can help test anything else to ensure any PR you make is working well and ready to merge.

[jonnoss1]

Hi @joshuacox,

Maybe a couple questions before we forge on with a PR.

1. How are those posted ldif files getting generated?

This one is definitely incorrect.

File: schemas/98-dynlistconfig.ldif
dn: olcOverlay=dynlist,olcDatabase={-1}frontend,cn=config
objectClass: olcOverlayConfig
objectClass: olcDynListConfig
olcOverlay: dynlist
olcDynListAttrSet: groupOfURLs labeledURI member,groupOfURLs memberURL memberOf

Should be something like this

dn: olcOverlay={0}dynlist,olcDatabase={-1}frontend,cn=config
objectClass: olcOverlayConfig
objectClass: olcDynListConfig
olcOverlay: dynlist
olcDynListAttrSet: {0}groupOfURLs labeledURI member
olcDynListAttrSet: {1}groupOfURLs memberURL memberOf

This is likely causing some kind of problem.

Re: where the schema's come from:

• member > core schema
• memberURL > dyngroup schema
• groupOfURLs > dyngroup schema
• memberOf > memberOf overlay

2. In terms of the functionality you're looking to gain by using these overlays:

Are you only looking be be able to run a search like this on the memberOf attribute:
$ ldapsearch -H ldap://localhost:1389 -LLL -x -s sub -b "dc=example,dc=net" "cn=customuser" uid memberof

Or do you additionally require the ability to define dynamic lists using this pattern:

dn: cn=dynamicGroup,ou=dynamic,ou=thatstore,dc=source,dc=com
objectClass: groupOfURLs
objectClass: top
cn: dynamicGroup
memberURL: ldap:///ou=people,ou=thatstore,dc=source,dc=com??sub?(objectClass=inetOrgPerson)

[joshuacox]

This one is definitely incorrect.

olcDynListAttrSet: groupOfURLs labeledURI member,groupOfURLs memberURL memberOf

I believe that is generated when using this env var:

• LDAP_DYNLIST_ATTRSETS=groupOfURLs labeledURI member,groupOfURLs memberURL memberOf

which was the original example you gave, that is where I got confused.

But my current problem is still crashing when I execute something like:

docker exec openldap ldapsearch -H ldap://localhost:1389 -LLL -x -s sub -b "dc=example,dc=net" '(&(objectClass=inetOrgPerson)(memberof=cn=readers,ou=users,dc=example,dc=net))'

ldap_result: Can't contact LDAP server (-1)

in the logs I can see the 'crash' at exit 0, though I'm not certain why openldap thought it appropriate to throw a zero there, as it seems to me to be worthy of an exit 1 or higher.

openldap      |  21:49:53.51 INFO  ==> ** Starting slapd **
openldap      | 6525c701.1ebee3d7 0x7f6ab13cd740 @(#) $OpenLDAP: slapd 2.6.6 (Aug 18 2023 23:33:58) $
openldap      |         @a67812f7d14b:/bitnami/blacksmith-sandox/openldap-2.6.6/servers/slapd
openldap      | 6525c701.1f502bd2 0x7f6ab13cd740 slapd starting
openldap      | 6525c70d.269ddf1d 0x7f6a6bfff700 conn=1000 fd=12 ACCEPT from IP=127.0.0.1:38708 (IP=0.0.0.0:1389)
openldap      | 6525c70d.269eb4a7 0x7f6a6bfff700 conn=1000 op=0 BIND dn="" method=128
openldap      | 6525c70d.26a0b25d 0x7f6a6bfff700 conn=1000 op=0 RESULT tag=97 err=0 qtime=0.000005 etime=0.000144 text=
openldap      | 6525c70d.26a2d1fc 0x7f6a6b7fe700 conn=1000 op=1 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=inetOrgPerson)(memberOf=cn=readers,ou=users,dc=example,dc=net))"
openldap exited with code 0
openldap      |  21:50:06.57 INFO  ==> Validating settings in LDAP_* env vars
openldap      |  21:50:06.58 INFO  ==> Initializing OpenLDAP...
openldap      |  21:50:06.58 DEBUG ==> Ensuring expected directories/files exist...
openldap      |  21:50:06.59 INFO  ==> Using persisted data
openldap      |  21:50:16.61 INFO  ==> ** LDAP setup finished! **
openldap      | 
openldap      | 
openldap      |  21:50:16.63 INFO  ==> ** Starting slapd **
openldap      | 6525c718.266e99de 0x7fa1ecb78740 @(#) $OpenLDAP: slapd 2.6.6 (Aug 18 2023 23:33:58) $
openldap      |         @a67812f7d14b:/bitnami/blacksmith-sandox/openldap-2.6.6/servers/slapd
openldap      | 6525c718.270356a7 0x7fa1ecb78740 slapd starting

As to whether I need the dynamic group, I don't foresee it immediately being necessary, but I also didn't realize I needed a few things here before getting further.

My end goal is to be able to use a user filter in gitea something like:

(&(memberOf=cn=gitea,ou=Groups,dc=example,dc=net)(|(uid=%[1]s)(mail=%[1]s)))

and an admin filter of:

(&(memberOf=cn=gitea_admin,ou=Groups,dc=example,dc=net)(|(uid=%[1]s)(mail=%[1]s)))

EDIT: I did make the changes to the olcDynListAttrSet here and I added a crash.sh to document that command.

[jonnoss1]

Hi @joshuacox,

I've created a PR to add support for Reverse Group Membership Maintenance aka memberOf overlay module.

Based on the example searches you are trying to perform this appears to be the cleanest way to add support for this specific reciprocal attribute.

Can always look at dynlist separately but it would need some thought to ensure the supporting schema is always declared to prevent schema dependency failures.

J

[carrodher]

Thank you for submitting the associated Pull Request. Our team will review and provide feedback. Once the PR is merged, the issue will automatically close.

Your contribution is greatly appreciated!

[joshuacox]

The problem with memberOf is that it is deprecated, will be removed in the future, and it is discrouraged on replicated setups.

from man slapo-memberof:

Note that this overlay is deprecated and support will be dropped in future OpenLDAP releases. Installations should use the dynlist overlay instead. Using this overlay in a replicated environment is  especially  discouraged.

After a week of not looking at this issue (because the team I was working with decided to go with freeIPA instead), I came back and looked at the comment here I realized I needed to alter this line:

dn: olcOverlay=dynlist,olcDatabase={-1}frontend,cn=config

to this line:

dn: olcOverlay=dynlist,olcDatabase={2}mdb,cn=config

so the example repo here is fixed.

And all memberOf functionality is supplied by dynlist now:

./no-longer-crashes.sh  
+ docker exec openldap ldapsearch -H ldap://localhost:1389 -LLL -x -s sub -b dc=example,dc=net cn=customuser memberof
dn: cn=customuser,ou=users,dc=example,dc=net
memberOf: cn=readers,ou=users,dc=example,dc=net
memberOf: cn=Dynamic List,ou=Groups,dc=example,dc=net
memberOf: cn=Dynamic Group,ou=Groups,dc=example,dc=net

+ docker exec openldap ldapsearch -H ldap://localhost:1389 -LLL -x -s sub -b 'cn=Dynamic Group,ou=Groups,dc=example,dc=net' member
dn: cn=Dynamic Group,ou=Groups,dc=example,dc=net
member: cn=customuser,ou=users,dc=example,dc=net
member: cn=customuser2,ou=users,dc=example,dc=net

+ docker exec openldap ldapsearch -H ldap://localhost:1389 -LLL -x -s sub -b 'cn=Dynamic List,ou=Groups,dc=example,dc=net' member
dn: cn=Dynamic List,ou=Groups,dc=example,dc=net
member: cn=customuser,ou=users,dc=example,dc=net
member: cn=customuser2,ou=users,dc=example,dc=net

[CrnTeam]

Hi,

The Openldap Team changes her mind about memberof overlay : it is no more deprecated (this announce)

So this PR is very interesting : can you merge it ?

Thank you

[jonnoss1]

Hi @CrnTeam,

New PR created and ready for review.

Jonno