quanah(a)openldap.org wrote:
Full_Name: Quanah Gibson-Mount
Version: 2.4.45
OS: Linux
URL:
ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (47.208.148.239)
Per the slapo-memberof man page, you can define a different attribute than
"memberOf" to hold the group membership information for an entry.
However, this fails due to the fact that when a different attribute is used,
slapd applies objectClass rule requirements to the entry. slapd does *not* do
this when the default value of "memberOf" is used.
That's because memberOf is an operational attribute, so objectclass
requirements don't apply. If you want to use some other attribute, make sure
the schema allows it in the relevant entries, or use an operational attribute.
Not a bug. Closing this ITS.
Example config:
overlay memberof
memberof-group-oc groupofuniquenames
memberof-member-ad uniquemember
memberof-memberof-ad ismemberof
Example schema:
attributetype ( 2.15.930.3.234225.3.1
NAME 'isMemberOf'
DESC 'Sun defined attribute type'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
X-ORIGIN 'Sun Directory Server' )
Create a group:
dn: cn=mygroup,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: mygroup
uniqueMember: cn=La Valko,ou=Peons,dc=example,dc=com
Group creates OK, but:
slapd[5149]: Entry (cn=La Valko,ou=Peons,dc=example,dc=com), attribute
'isMemberOf' not allowed
slapd[5149]: entry failed schema check: attribute 'isMemberOf' not allowed
slapd[5149]: conn=1000 op=19: memberof_value_modify DN="cn=la
valko,ou=peons,dc=example,dc=com" add
isMemberOf="cn=mygroup,dc=example,dc=com"
failed err=65
--
-- Howard Chu
CTO, Symas Corp.
http://www.symas.com
Director, Highland Sun
http://highlandsun.com/hyc/
Chief Architect, OpenLDAP
http://www.openldap.org/project/