Brad Hartlove wrote:
I have been trying to include the memberOf attribute in a new objectClass. If I just set it to "MAY" (for example), it complains about using an operational attribute in my definition. I have seen quite a few Q&As about this, but I am really trying to understand where this issue is originating. Maybe I haven't looked at the right one yet. OpenDJ has the ability to utilize it in custom classes, so I was hoping to be able to also do the same in OpenLDAP. Thoughts?
I think there's a lot of confusion about this attribute:
1. 'memberOf' appeared first in MS AD where it's a simple back-link to group entries the entry is *direct* member of. In AD's schema it's not marked as operational attribute like all other operational attributes in AD. ;-)
2. OpenLDAP's slapo-memberof implements exactly the same behaviour like MS AD but the attribute type description correctly marks it with dSAOperation.
3. SunDS, OpenDJ, 389-DS implement the same semantics but IIRC they use the attribute 'isMemberOf'.
4. FreeIPA is abusing attribute 'memberOf' - with same OID like in MS AD (yuck!) - as normal user attribute to describe (server) group membership. For various reasons this sucks but anyway...
=> I'd recommend to define your own custom attribute with clear semantics and not re-use 'memberOf' in your custom object class.
Or is there any reason why you insist to step into this trap?
Ciao, Michael.