Introduction
MarkLogic uses the LDAP "memberOf" attribute to determine group membership for authorising access to specific security roles, however by default, the "memberOf" attribute is not enabled in an OpenLDAP server. This article will show to enable the "memberOf" attribute in an OpenLDAP server so that MarkLogic can successfully determine group membership and authorise access to a Role.
Configuring OpenLDAP to support the "memberOf" attribute
1. Create a LDIF file with the following contents
memberOf.ldif
dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
objectclass: top
olcModuleLoad: memberof.la
olcModulePath: /usr/lib64/openldap
dn: olcOverlay=memberof,olcDatabase={2}bdb,cn=config
objectclass: olcconfig
objectclass: olcMemberOf
objectclass: olcoverlayconfig
objectclass: top
olcoverlay: memberof
Check that the database name assigned to "olcDatabase" is the same on your system as different Linux distributions may use other names, e.g hdb instead of bdb.
/etc/openldap/slapd.d/cn=config
drwxr-x--- 2 ldapldap 40 Nov 28 18:13 olcDatabase={2}bdb
Check the OpenLDAP library name and path (olcModuleLoad & olcModulePath) are valid, as with the database name this can vary with different Linux distributions.
2. Issue the following command to add "memberOf" support and restart OpenLDAP
ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/memberof.ldif
If the LDAPI:// is not active on the system add the following parameter to the OpenLDAP Configuration in "/etc/sysconfig/ldap" and restart OpenLDAP first.
SLAPD_LDAPI=yes
3. It should now be able to add users to LDAP and assign them as a member to the required LDAP groups, OpenLDAP will then add the attribute “memberOf” to their LDAP entry, e.g
dn: uid=appadmin,ou=Users,dc=MarkLogic,dc=Local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: appadmin
sn: MarkLogic App Admin
uid: appadmin
userPassword:: cGFzc3dvcmQ=
dn: cn=AppAdmin,ou=Groups,dc=MarkLogic,dc=Local
objectClass: top
objectClass: groupOfNames
cn: AppAdmin
member: uid=appadmin,ou=Users,dc=MarkLogic,dc=Local
Note
OpenLDAP assigns the "memberOf" to the user LDAP entry as an operational attribute, as such it will not be visible when you using a normal "ldapsearch" command, e.g
ldapsearch -x -h localhost -D "cn=Manager,dc=MarkLogic,dc=local" -W -b "uid=appadmin,ou=Users,dc=MarkLogic,dc=Local"
In order to display the operational attributes add an additional "+" parameter to the end of the search command, e.g.
[admin@kerberos tmp]# ldapsearch -x -h localhost -D "cn=Manager,dc=MarkLogic,dc=local" -W -b "uid=appadmin,ou=Users,dc=MarkLogic,dc=Local" +
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=appadmin,ou=Users,dc=MarkLogic,dc=Local> with scope subtree
# filter: (objectclass=*)
# requesting: +
#
# appadmin, Users, MarkLogic.Local
dn: uid=appadmin,ou=Users,dc=MarkLogic,dc=Local
structuralObjectClass: inetOrgPerson
entryUUID: 299e5620-49e2-1036-8750-e5471d51d42c
creatorsName: cn=Manager,dc=MarkLogic,dc=Local
createTimestamp: 20161128181352Z
entryCSN: 20161128181352.705449Z#000000#000#000000
modifyTimestamp: 20161128181352Z
memberOf: cn=AppAdmin,ou=Groups,dc=MarkLogic,dc=Local
modifiersName: cn=Manager,dc=MarkLogic,dc=Local
entryDN: uid=appadmin,ou=Users,dc=MarkLogic,dc=Local
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE
Additional reading
Assigning external LDAP group membership to a Role.
OpenLDAP memberOf overlay manual