389/RHDS memberOf plugin

The 389/Red Hat Directory Server (RHDS) now has a “memberOf” plugin (starting at Fedora DS 1.1.1, with vast improvements as of 389-DS 1.2.7, and since RHDS v8.1) that provides the same functionality as Active Directory’s “memberOf” feature.

The memberOf plugin is turned off by default on both 389 and RHDS. Once enabled it will show the dn values of all groups an entry is a member of in the memberOf attribute. It works by adding the attribute and value to entries when they are added to a group. Unlike the similar “isMemberof” functionality in the latest Sun/Oracle Directory Server Enterprise Edition, memberOf is returned as a standard user attribute and so need not be specified explicitly on a search.

NOTE: This feature is also available in ForgeRock’s OpenDJ directory, which inherited it from Sun’s OpenDS as the “isMemberOf” virtual attribute (OpenDJ implements it for both static and dynamic groups).

Because it is a standard user attribute, in order for the system to add memberOf to an entry at least one of the entry’s objectclasses needs to include it as a permitted attribute. The new 389/RHDS schema includes the inetUsr object class, which allows memberOf.

[me@emyhost ~]$ ldapsearch -x -LLL -h localhost -D "cn=directory manager" 
-W -b "dc=example,dc=com" -s sub "uid=me"
Enter LDAP Password: 
dn: uid=me,ou=People,dc=example,dc=com
givenName: My
sn: Test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetUser
uid: me
* * *
memberOf: cn=Directory Administrators,dc=example,dc=com
memberOf: cn=Staff,ou=Groups,dc=example,dc=com
memberOf: cn=Users,ou=Groups,dc=example,dc=com

To turn on the plugin either use the gui directory console or simply change the value of “nsslapd-pluginEnabled” under “cn=memberOf Plugin, cn=plugins, cn=config” from “off” to “on”. If the directory uses “uniquemember” instead of “member” as the group member attribute, the former should be substituted for the latter in the “memberofgroupattr”. Here’s some LDIF to do the job (apply using ldapmodify):

dn: cn=memberOf Plugin,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginenabled: on
replace: memberofgroupattr
memberofgroupattr: uniquemember

The plugin is then enabled by restarting the directory service.

To bootstrap existing group memberships (as a postoperation plugin it will only add memberOf for newly added group members), the fixup-memberof.pl script has been provided. This will be found under /usr/lib64/dirsrv/slapd-[instancename]. The syntax is:

fixup-memberof.pl -v -D "cn=directory manager" -w - 
 -b "dc=example,dc=com"

The script works by setting up a background memberOf task on the directory. This can be done manually by adding the following entry:

dn: cn=example memberof,cn=memberof task,cn=tasks,cn=config
objectclass: extensibleObject
cn:example memberof
basedn: ou=people,dc=example,dc=com
filter: (objectclass=groupofuniquenames)

(use ldapadd, or ldapmodify with the “-a” switch)