The 389/Red Hat Directory Server (RHDS) now has a “memberOf” plugin (starting at Fedora DS 1.1.1, with vast improvements as of 389-DS 1.2.7, and since RHDS v8.1) that provides the same functionality as Active Directory’s “memberOf” feature.
The memberOf plugin is turned off by default on both 389 and RHDS. Once enabled it will show the dn values of all groups an entry is a member of in the memberOf attribute. It works by adding the attribute and value to entries when they are added to a group. Unlike the similar “isMemberof” functionality in the latest Sun/Oracle Directory Server Enterprise Edition, memberOf is returned as a standard user attribute and so need not be specified explicitly on a search.
NOTE: This feature is also available in ForgeRock’s OpenDJ directory, which inherited it from Sun’s OpenDS as the “isMemberOf” virtual attribute (OpenDJ implements it for both static and dynamic groups).
Because it is a standard user attribute, in order for the system to add memberOf to an entry at least one of the entry’s objectclasses needs to include it as a permitted attribute. The new 389/RHDS schema includes the inetUsr object class, which allows memberOf.
[me@emyhost ~]$ ldapsearch -x -LLL -h localhost -D "cn=directory manager" -W -b "dc=example,dc=com" -s sub "uid=me" Enter LDAP Password: dn: uid=me,ou=People,dc=example,dc=com givenName: My sn: Test objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: inetUser uid: me * * * memberOf: cn=Directory Administrators,dc=example,dc=com memberOf: cn=Staff,ou=Groups,dc=example,dc=com memberOf: cn=Users,ou=Groups,dc=example,dc=com
To turn on the plugin either use the gui directory console or simply change the value of “nsslapd-pluginEnabled” under “cn=memberOf Plugin, cn=plugins, cn=config” from “off” to “on”. If the directory uses “uniquemember” instead of “member” as the group member attribute, the former should be substituted for the latter in the “memberofgroupattr”. Here’s some LDIF to do the job (apply using ldapmodify):
dn: cn=memberOf Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginenabled: on - replace: memberofgroupattr memberofgroupattr: uniquemember
The plugin is then enabled by restarting the directory service.
To bootstrap existing group memberships (as a postoperation plugin it will only add memberOf for newly added group members), the fixup-memberof.pl script has been provided. This will be found under /usr/lib64/dirsrv/slapd-[instancename]. The syntax is:
fixup-memberof.pl -v -D "cn=directory manager" -w - -b "dc=example,dc=com"
The script works by setting up a background memberOf task on the directory. This can be done manually by adding the following entry:
dn: cn=example memberof,cn=memberof task,cn=tasks,cn=config objectclass: extensibleObject cn:example memberof basedn: ou=people,dc=example,dc=com filter: (objectclass=groupofuniquenames)
(use ldapadd, or ldapmodify with the “-a” switch)