How do I update the memberOf attributes of existing objects after adding the OpenLDAP Reverse Group Membership Maintenance overlay?

Question

This is a follow-up to this question: I added the memberof overlay to an existing OpenLDAP 2.4 server. Now I want to update the existing user objects.

For new group memberships, the memberOf attribute is updated correctly. But I have a bunch of existing groups which aren't updated automatically. I could remove all users from their groups and re-add them to make sure these entries are in sync. Since this is a Univention Corporate Server which does a lot of magic when you modify the LDAP, I don't want to risk breaking my directory.

Is there a way to trick the overlay to update these operational attributes?

Answer 1

I think running slapindex will solve your problem. At least it sounds pretty much like what happens when you add a new index to your system.. You get funny results unless you run reindexing on old entries.

Please note that openldap server has to be stopped when you run this. And you should either run it as slapd user (like openldap) or run it as root and change permissions afterwords.

/etc/init.d/slapd stop
slapindex
chown openldap:openldap /var/lib/ldap/*
/etc/init.d/slapd start

or

/etc/init.d/slapd stop
su - openldap -c  slapindex
/etc/init.d/slapd start

please read slapindex man pages before running this. And this should be safe unless you have corrupted database. (just remember to check the file permissions before start)

Commands how you stop and start your serices will depend on the Os flavour your running.

Answer 2

The only time when the memberOf overlay will be activated is if you modify a member in a group. So, the only way to "trick" it into updating the memberOf attributes would indeed be to remove all users from their groups and re-add them, as you suggested.

An alternative would be to use an external tool to synchronize groups and their members's entries.

You could write your own script for this - something along the lines of "for each group, read the members, for each member, run a LDAP "modify" operation to "add" a value to the memberOf attribute of that member's entry.

Or, probably more reliable, you could use a tool like LSC (LDAP Synchronization Connector) which has pretty much everything already done: you just need to configure the mapping you want. The trick with LSC is to use the same LDAP server as both source and destination, and running through all users to make sure that the memberOf attribute contains the list of groups that results from searching all groups for member=. The LSC website has a tutorial to do this, sort of, but it's a bit outdated.

Answer 3

For Univention Corporate Server see https://help.univention.com/t/memberof-attribute-group-memberships-of-user-and-computer-objects/6439 , it has a tool do do this. For all others: The tool uses a simple trick to trigger OpenLDAP to update the memberOf attributes: It simply searches for (uniqueMember=*) and replaces the value by the same value. This is basically a nop, but OpenLDAP handles it just like any other real change.