Add overlays in LDAP

[venekamp]

Suggeested by Martin van Es. Use overlays to have openLDAP automatically add a memberof attribute when a DN is added to ou=group. This makes searching if a DN is a member of group easy, because the other way would mean searching though all DNs in group and determine if the DN is present there.

---

Wellicht is de memberof overlay een aardige toevoeging op de provisioning van
de standaard LDAP?

cat memberof.ldif

dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModuleLoad: memberof
olcModulePath: /usr/lib/ldap

dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf

ldapadd -Q -Y EXTERNAL -H ldapi:/// -f memberof.ldif

cat refint.ldif

dn: cn=module,cn=config
cn: module
objectclass: olcModuleList
objectclass: top
olcmoduleload: refint.la
olcmodulepath: /usr/lib/ldap

dn: olcOverlay={1}refint,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {1}refint
olcRefintAttribute: memberof member manager owner

ldapadd -Q -Y EXTERNAL -H ldapi:/// -f refint.ldif

ldapsearch -x -D cn=admin,dc=ldap,dc=example,dc=org -w ChangeThisSecret -H

ldapi:/// -b dc=ldap,dc=example,dc=org memberof

...

student_mrvanes.com, people, ldap.example.org

dn: uid=student_mrvanes.com,ou=people,dc=ldap,dc=example,dc=org
memberOf: cn=CO:members:active,ou=group,dc=ldap,dc=example,dc=org
memberOf: cn=CO:members:all,ou=group,dc=ldap,dc=example,dc=org
memberOf: cn=barfoo,ou=group,dc=ldap,dc=example,dc=org
...