SLAPO-MEMBEROF(5) File Formats Manual SLAPO-MEMBEROF(5)
NAME
slapo-memberof - Reverse Group Membership overlay to slapd
SYNOPSIS
/etc/ldap/slapd.conf
DESCRIPTION
The memberof overlay to slapd(8) allows automatic reverse group member-
ship maintenance. Any time a group entry is modified, its members are
modified as appropriate in order to keep a DN-valued "is member of" at-
tribute updated with the DN of the group.
Note that the dynlist overlay can also provide this functionality and
may be suitable for less demanding environments.
CONFIGURATION
The config directives that are specific to the memberof overlay must be
prefixed by memberof-, to avoid potential conflicts with directives spe-
cific to the underlying database or to other stacked overlays.
overlay memberof
This directive adds the memberof overlay to the current database;
see slapd.conf(5) for details.
The following slapd.conf configuration options are defined for the mem-
berof overlay.
memberof-group-oc <group-oc>
The value <group-oc> is the name of the objectClass that triggers
the reverse group membership update. It defaults to groupOf-
Names.
memberof-member-ad <member-ad>
The value <member-ad> is the name of the attribute that contains
the names of the members in the group objects; it must be DN-val-
ued. It defaults to member.
memberof-memberof-ad <memberof-ad>
The value <memberof-ad> is the name of the attribute that con-
tains the names of the groups an entry is member of; it must be
DN-valued. Its contents are automatically updated by the over-
lay. It defaults to memberOf.
memberof-dn <dn>
The value <dn> contains the DN that is used as modifiersName for
internal modifications performed to update the reverse group mem-
bership. It defaults to the rootdn of the underlying database.
memberof-dangling {ignore, drop, error}
This option determines the behavior of the overlay when, during a
modification, it encounters dangling references. The default is
ignore, which may leave dangling references. Other options are
drop, which discards those modifications that would result in
dangling references, and error, which causes modifications that
would result in dangling references to fail.
memberof-dangling-error <error-code>
If memberof-dangling is set to error, this configuration parame-
ter can be used to modify the response code returned in case of
violation. It defaults to "constraint violation", but other im-
plementations are known to return "no such object" instead.
memberof-refint {true|FALSE}
This option determines whether the overlay will try to preserve
referential integrity or not. If set to TRUE, when an entry con-
taining values of the "is member of" attribute is modified, the
corresponding groups are modified as well.
memberof-addcheck {true|FALSE}
This option determines whether the overlay will check newly added
entries for membership in any existing groups. This check is use-
ful if populated groups are created in the directory before the
entries they reference. The situation often occurs during repli-
cation, which may replicate entries in random order. If set to
TRUE, every Add operation will search for groups referencing the
added entry and populate its memberof attribute with the group
DNs. Note that memberof-dangling must be left on its default set-
ting of ignore for this option to work.
The memberof overlay may be used with any backend that provides full
read-write functionality, but it is mainly intended for use with local
storage backends. The maintenance operations it performs are internal to
the server on which the overlay is configured and are never replicated.
Consumer servers should be configured with their own instances of the
memberOf overlay if it is desired to maintain these memberOf attributes
on the consumers. Consumers must also be configured to exclude the mem-
berof attribute from replication. (See the exattrs option in the con-
sumer configuration.)
FILES
/etc/ldap/slapd.conf
default slapd configuration file
BACKWARD COMPATIBILITY
The memberof overlay has been reworked with the 2.5 release to use a
consistent namespace as with other overlays. As a side-effect the fol-
lowing cn=config parameters are deprecated and will be removed in a fu-
ture release: olcMemberOf is replaced with olcMemberOfConfig
SEE ALSO
slapo-dynlist(5), slapd.conf(5), slapd-config(5), slapd(8). The
slapo-memberof(5) overlay supports dynamic configuration via back-con-
fig.
ACKNOWLEDGEMENTS
This module was written in 2005 by Pierangelo Masarati for SysNet s.n.c.
OpenLDAP 2.6.10+dfsg-1 2025/05/22 SLAPO-MEMBEROF(5)
Generated by dwww version 1.16 on Tue Dec 16 04:46:50 CET 2025.