我使用 OpenLDAP 2.4.57 启用了 refint 和 memberof 覆盖,但创建 groupOfNames 时出现错误memberof_value_modify .. failed err=32
。我还启用了备用 syncprov。我做错了什么?
组加法
$ ldapadd -W -x -D cn=admin,dc=mydomain,dc=tld << EOF
dn: cn=mygroup,ou=groups,dc=mydomain,dc=tld
objectClass: top
objectClass: groupOfNames
cn: mygroup
member: cn=myüser,ou=members,dc=mydomain,dc=tld
EOF
错误日志
slapd: conn=132979 op=1: memberof_value_modify DN="cn=myüser,ou=members,dc=mydomain,dc=tld" add memberOf="cn=mygroup,ou=groups,dc=mydomain,dc=tld" failed err=32
slapd: <= bdb_equality_candidates: (memberOf) not indexed
配置
$ sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=module{0},cn=config
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb
olcModuleLoad: {1}syncprov
olcModuleLoad: {2}memberof
olcModuleLoad: {3}refint
$ sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD:: bWVtYmVyT2Yg
$ sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b olcOverlay={2}refint,olcDatabase={1}hdb,cn=config
dn: olcOverlay={2}refint,olcDatabase={1}hdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {2}refint
olcRefintAttribute: memberof member manager owner
答案1
错误 32 意味着no such object
我的节点的 DN 是经过 base64 编码的,因为它包含重音符号。使用另一个具有明确 DN 的对象,一切正常。
$ ldapsearch -W -x -D cn=admin,dc=mydomain,dc=tld -b ou=members,dc=mydomain,dc=tld sn=Doe
dn:: Y249bXn8c2VyLG91PW1lbWJlcnMsZGM9bXlkb21haW4sZGM9dGxk
objectClass: top
objectClass: person
objectClass: inetOrgPerso
sn: Doe
givenName: John
uid: john.doe
这是在RFC2849说:
4) Any dn or rdn that contains characters other than those
defined as "SAFE-UTF8-CHAR", or begins with a character other
than those defined as "SAFE-INIT-UTF8-CHAR", above, MUST be
base-64 encoded. Other values MAY be base-64 encoded. Any
value that contains characters other than those defined as
"SAFE-CHAR", or begins with a character other than those
defined as "SAFE-INIT-CHAR", above, MUST be base-64 encoded.
Other values MAY be base-64 encoded.
使用 dn 的编码版本,一切工作正常:
$ ldapadd -W -x -D cn=admin,dc=mydomain,dc=tld << EOF
dn: cn=mygroup,ou=groups,dc=mydomain,dc=tld
objectClass: top
objectClass: groupOfNames
cn: mygroup
member:: Y249bXn8c2VyLG91PW1lbWJlcnMsZGM9bXlkb21haW4sZGM9dGxk
EOF