How to Implement and Configure memberOf Overlay for Reverse Group Membership in OpenLDAP 2.4+


4 views

When implementing LDAP-based authentication systems, the need to query group membership efficiently is paramount. The memberOf overlay in OpenLDAP provides reverse group membership maintenance - automatically updating the memberOf attribute whenever group membership changes. This becomes particularly crucial when:

  • Building applications that need to check group membership frequently
  • Implementing access control based on LDAP groups
  • Maintaining referential integrity between groups and members

For OpenLDAP 2.4+ with cn=config runtime configuration, we need three key components:

# 1. Load the memberof module
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModuleLoad: memberof.la

# 2. Configure the overlay for your database
dn: olcOverlay=memberof,olcDatabase={1}hdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
olcOverlay: memberof
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf

# 3. Enable referential integrity
dn: olcOverlay=refint,olcDatabase={1}hdb,cn=config
objectClass: olcRefintConfig
objectClass: olcOverlayConfig
olcOverlay: refint
olcRefintAttribute: memberof member

The key challenge lies in making the overlay work with existing group entries. Here's how to ensure proper behavior:

# For existing groups (groupOfNames), add this attribute:
dn: cn=mygroup,ou=groups,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: groupOfNames

# Then add members with this LDIF:
dn: cn=mygroup,ou=groups,dc=example,dc=com
changetype: modify
add: member
member: uid=user1,ou=people,dc=example,dc=com
member: uid=user2,ou=people,dc=example,dc=com

To confirm the overlay is working correctly:

# Search for a user's memberOf attributes
ldapsearch -x -D "cn=admin,dc=example,dc=com" -W -b "uid=user1,ou=people,dc=example,dc=com" memberOf

# Expected output:
dn: uid=user1,ou=people,dc=example,dc=com
memberOf: cn=mygroup,ou=groups,dc=example,dc=com

If the memberOf attributes aren't being created:

  1. Check slapd logs for overlay-related errors
  2. Verify the overlay is loaded: ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config '(olcOverlay=memberof)'
  3. Ensure the group entry has groupOfNames objectClass
  4. Confirm the member attributes use full DNs

For large directories:

  • Set olcMemberOfDangling: ignore to skip invalid member references
  • Consider olcMemberOfMemberAD if using custom member attributes
  • For read-heavy systems, add an equality index for memberOf: 
    dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: memberOf eq

Here's a full LDIF for testing:

dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups

dn: uid=testuser,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
uid: testuser
cn: Test User
sn: User

dn: cn=testgroup,ou=groups,dc=example,dc=com
objectClass: groupOfNames
cn: testgroup
member: uid=testuser,ou=people,dc=example,dc=com

The memberOf overlay in OpenLDAP provides automatic maintenance of reverse group membership (memberOf) attributes when group membership changes. This is particularly useful when you need to:

  • Implement access control based on group membership
  • Maintain referential integrity between groups and members
  • Enable efficient memberOf queries without manual maintenance

From your description, you've successfully:

# Partial configuration shown
dn: olcOverlay={0}memberof
objectClass: olcMemberOf
objectClass: olcOverlayConfig
olcOverlay: {0}memberof
olcMemberOfRefInt: TRUE

The key issues you're facing with existing group modifications can be addressed through proper configuration. Here's what you need to add:

1. Adding Referential Integrity

While you have olcMemberOfRefInt enabled, you might need additional indexes:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: memberof eq

2. Handling Existing Group Modifications

For existing groups, you need to trigger the overlay manually after changes:

# Example of adding member to existing group
dn: cn=existinggroup,ou=groups,dc=example,dc=com
changetype: modify
add: member
member: uid=user1,ou=people,dc=example,dc=com

Here's a full working configuration for Ubuntu/Debian systems:

# 1. Enable module
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: memberof

# 2. Configure overlay
dn: olcOverlay=memberof,olcDatabase={1}hdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf

After making changes, verify with these commands:

# Check if overlay is loaded
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config '(olcOverlay=memberof)'

# Test group modification
ldapmodify -x -D "cn=admin,dc=example,dc=com" -W -f modify_group.ldif

# Verify memberOf attribute
ldapsearch -x -D "cn=admin,dc=example,dc=com" -W -b "uid=user1,ou=people,dc=example,dc=com" memberOf

If you encounter problems:

  1. Check slapd logs: tail -f /var/log/slapd.log
  2. Verify schema includes groupOfNames
  3. Ensure all DNs in member attributes exist
  4. Restart slapd after configuration changes

For more control, consider these additional parameters:

olcMemberOfDangling: error|drop|ignore
olcMemberOfMemberAD: member
olcMemberOfGroupOC: groupOfNames|groupOfUniqueNames
olcMemberOfMemberOfAD: memberOf