On 2/6/26 2:38 PM, Ghiurea, Isabella via 389-users wrote:
Thank you Viktor , here are more details:
ldapsearch -D "cn=directory manager" -w xxxx-b "ou=Groups,ou=ds,dc=xxxxxxx '(memberOf=*)'no entries been returned.
That is not exactly what Viktor meant. First, unless its a nested group it will not have a memberOf attribute. So that filter is basically breaking the intended search. Use "cn=*" as the filter instead.
In your groups the memberOf plugin will only check if "member" attribute is set. If your groups use "uniquemember" then you will need to update the memberOf plugin configuration (memberofgroupattr) and restart the server. Then run the fixup task.
Secondly, in your "users" you need an objectclass that allows the "memberOf" attribute. The plugin "should" auto-add an appropriate objectclass if one is not present, but that could be an issue.
I suspect you are using uniquemember as your membership attribute in your groups, so you just need to update the plugin config, restart the server, and run the fixup task.
Regards,
Mark
dsconf -D "cn=Directory Manager" -W slapd-testldap backend index list userroot | grep member*
dn: cn=member,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
cn: member
dn: cn=memberOf,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
cn: memberOf
dn: cn=memberuid,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
cn: memberuid
dn: cn=uniquemember,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
cn: uniquemember
####### See the memberof difference in version 1.2 with version 3.1 for memberofgroupattr is this the case ?dn: cn=MemberOf Plugin,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: MemberOf Plugin
nsslapd-pluginPath: libmemberof-plugin
nsslapd-pluginInitfunc: memberof_postop_init
nsslapd-pluginType: betxnpostoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
memberofgroupattr: member
memberofattr: memberOf
nsslapd-pluginId: memberof
nsslapd-pluginVersion: 3.1.3
nsslapd-pluginVendor: 389 Project
################
dn: cn=MemberOf Plugin,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: MemberOf Plugin
nsslapd-pluginPath: libmemberof-plugin
nsslapd-pluginInitfunc: memberof_postop_init
nsslapd-pluginType: betxnpostoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
memberofgroupattr: uniquemember
memberofattr: memberOf
nsslapd-pluginId: memberof
nsslapd-pluginVersion: 1.3.10.2
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
And last question the memberof fixup scripts runs to fast /or not at all but no errors.dsconf --verbose testldap plugin memberof fixup-status
Task: cn=memberOf_fixup_2026-02-06T11:19:50.854371,cn=memberOf task,cn=tasks,cn=config
INFO: --------------------------------------------------------------------------------
INFO: - Base DN: dc=xxxx
INFO: - Status: Memberof task finished (processed 45844 entries in 6 seconds)
INFO: - Started: Fri Feb 6 19:19:50 2026 (20260206191950Z)
INFO: - Ended: Fri Feb 6 19:19:57 2026 (20260206191957Z)
INFO: - Elapsed Time: 0:00:07
INFO: - Exit Code: 0
Thank you!!!
From: Viktor Ashirov <vashirov@redhat.com>
Sent: Friday, February 6, 2026 3:21:43 AM
To: General discussion list for the 389 Directory server project.
Cc: Ghiurea, Isabella
Subject: [EXTERNAL\EXTERNE:] Re: [389-users] memberof entries not displayed in uid ( version 3.1)***Attention*** This email originated from outside of the NRC. ***Attention*** Ce courriel provient de l'extérieur du CNRC.
Hi,
On Fri, Feb 6, 2026 at 4:33 AM Ghiurea, Isabella via 389-users <389-users@lists.fedoraproject.org> wrote:
Hi List,I 'm testing DS migration from 389-DS 1.2.3 to 389-DS 3.1 RH9 with memberof plugin been enable when checking for users the entries for memberof are missing. for each uid.Are any cfg params in dse.ldif which may stop from displaying the memberof entries ?See details :
# 8211065Users, ds, xxxxdn: uid=8211065,ou=Users,ou=ds,dc=xxxxxuserPassword:: e1NTSEF9K25kcXZ= Missing memberOf entriesIn old 389-DS version 1.2.3 I have for same uid
dn: uid=8211065ou=Users,ou=ds,dc=xxxx****memberOf: cn=xxxx,ou=Groups,ou=ds,dc=xxxxxxx >>> mssing for each uid in 389-DS version 3.1****memberOf: cn=xxxx-users,ou=Groups,ou=ds,dc=cxxxx >>>same#######################################DS version 3.1 errorlog
dsconf slapd-testldap plugin memberof fixup "dc=xxx,dc=xxx"dsconf slapd-testldap plugin memberof fixup-status
INFO - memberof-plugin - memberof_fixup_task_thread - Memberof task starts (filter: "(|(objectclass=inetuser)(objectclass=inetadmin)(objectclass=nsmemberof))") ...[05/Feb/2026:18:44:51.265924012 -0800] - INFO - memberof-plugin - memberof_fixup_task_thread - Memberof task finished (processed 45844 entries in 5 seconds)
######################################################dsconf slapd-testldap plugin memberof show
dn: cn=MemberOf Plugin,cn=plugins,cn=configcn: MemberOf Pluginmemberofattr: memberOfmemberofgroupattr: memberWhat does your group entry look like? Do you have objectclass that supports the `member` attribute?
Thanks.--nsslapd-plugin-depends-on-type: databasensslapd-pluginDescription: memberof pluginnsslapd-pluginEnabled: onnsslapd-pluginId: memberofnsslapd-pluginInitfunc: memberof_postop_initnsslapd-pluginPath: libmemberof-pluginnsslapd-pluginType: betxnpostoperationnsslapd-pluginVendor: 389 Projectnsslapd-pluginVersion: 3.1.3objectClass: topobjectClass: nsSlapdPluginobjectClass: extensibleObject
Thank youIsabella
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
--
Viktor
-- Identity Management Development Team
No comments:
Post a Comment