OpenLDAP memberof 覆盖错误:memberof_value_modify err=32

OpenLDAP memberof 覆盖错误:memberof_value_modify err=32

我使用 OpenLDAP 2.4.57 启用了 refint 和 memberof 覆盖,但创建 groupOfNames 时出现错误memberof_value_modify .. failed err=32。我还启用了备用 syncprov。我做错了什么?

组加法

$ ldapadd -W -x -D cn=admin,dc=mydomain,dc=tld << EOF
dn: cn=mygroup,ou=groups,dc=mydomain,dc=tld
objectClass: top
objectClass: groupOfNames
cn: mygroup
member: cn=myüser,ou=members,dc=mydomain,dc=tld
EOF

错误日志

slapd: conn=132979 op=1: memberof_value_modify DN="cn=myüser,ou=members,dc=mydomain,dc=tld" add memberOf="cn=mygroup,ou=groups,dc=mydomain,dc=tld" failed err=32
slapd: <= bdb_equality_candidates: (memberOf) not indexed

配置

$ sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=module{0},cn=config
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb
olcModuleLoad: {1}syncprov
olcModuleLoad: {2}memberof
olcModuleLoad: {3}refint

$ sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD:: bWVtYmVyT2Yg

$ sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b olcOverlay={2}refint,olcDatabase={1}hdb,cn=config
dn: olcOverlay={2}refint,olcDatabase={1}hdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {2}refint
olcRefintAttribute: memberof member manager owner

答案1

错误 32 意味着no such object

我的节点的 DN 是经过 base64 编码的,因为它包含重音符号。使用另一个具有明确 DN 的对象,一切正常。

$ ldapsearch -W -x -D cn=admin,dc=mydomain,dc=tld -b ou=members,dc=mydomain,dc=tld sn=Doe
dn:: Y249bXn8c2VyLG91PW1lbWJlcnMsZGM9bXlkb21haW4sZGM9dGxk
objectClass: top
objectClass: person
objectClass: inetOrgPerso
sn: Doe
givenName: John
uid: john.doe

这是在RFC2849说:

  4)  Any dn or rdn that contains characters other than those
      defined as "SAFE-UTF8-CHAR", or begins with a character other
      than those defined as "SAFE-INIT-UTF8-CHAR", above, MUST be
      base-64 encoded.  Other values MAY be base-64 encoded.  Any
      value that contains characters other than those defined as
      "SAFE-CHAR", or begins with a character other than those
      defined as "SAFE-INIT-CHAR", above, MUST be base-64 encoded.
      Other values MAY be base-64 encoded.

使用 dn 的编码版本,一切工作正常:

$ ldapadd -W -x -D cn=admin,dc=mydomain,dc=tld << EOF
dn: cn=mygroup,ou=groups,dc=mydomain,dc=tld
objectClass: top
objectClass: groupOfNames
cn: mygroup
member:: Y249bXn8c2VyLG91PW1lbWJlcnMsZGM9bXlkb21haW4sZGM9dGxk
EOF

相关内容