-
Type:
Suggestion
-
Resolution: Low Engagement
-
None
-
Component/s: Directory - LDAP
-
Environment:OpenDS-2.3.0-build003
-
4
Background
By default, OpenDS comes with the following sections in config/config.ldif:
dn: cn=Virtual Static uniqueMember,cn=Virtual Attributes,cn=config objectClass: ds-cfg-virtual-attribute objectClass: ds-cfg-member-virtual-attribute objectClass: top ds-cfg-allow-retrieving-membership: false ds-cfg-conflict-behavior: virtual-overrides-real cn: Virtual Static uniqueMember ds-cfg-attribute-type: uniqueMember ds-cfg-enabled: true ds-cfg-java-class: org.opends.server.extensions.MemberVirtualAttributeProvider ds-cfg-filter: (&(objectClass=groupOfUniqueNames)(objectClass=ds-virtual-static-group)) dn: cn=Virtual Static member,cn=Virtual Attributes,cn=config objectClass: ds-cfg-virtual-attribute objectClass: ds-cfg-member-virtual-attribute objectClass: top ds-cfg-allow-retrieving-membership: true ds-cfg-conflict-behavior: virtual-overrides-real cn: Virtual Static member ds-cfg-attribute-type: member ds-cfg-enabled: true ds-cfg-java-class: org.opends.server.extensions.MemberVirtualAttributeProvider ds-cfg-filter: (&(objectClass=groupOfEntries)(objectClass=ds-virtual-static-group))
The line ds-cfg-allow-retrieving-membership: false prevents finding Virtual Static Groups when searching for groups that contain a particular uniqueMember, since it is an inefficient operation. Additionally, the ds-cfg-filter lines in both assume that Virtual Static Groups using the uniqueMember attribute have objectClass=groupOfUniqueNames, and those using the member attribute have objectClass=groupOfEntries.
Problem
- Crowd uses a filter like (&(objectclass=groupOfUniqueNames)(member=cn=username,ou=users,dc=example,dc=com)) sometimes when searching for memberships, which fails to discover Virtual Static Group memberships when ds-cfg-allow-retrieving-membership: false.
- If an OpenDS user has used a membership attribute and objectClass other than the default pairs with their Virtual Static Groups, some membership searches will fail anyway.
These problems result in memberships that are successfully discovered during directory synchronisation, but disappear when a user authenticates due to differing LDAP search query forms.
Solution
When a user creates an OpenDS connector directory connection, notify them that they may need to modify their OpenDS configuration to match their actual use case in order for Crowd to find Virtual Static Group memberships. Link to a KB article explaining the issue.
