Interesting how this question is hitting a number of different mailing lists…

Here’s an edited extract of an email I’ve sent yesterday on OpenDJ mailing list:

The memberOf attribute name was used by Microsoft Active Directory with specific semantic. There is no LDAP representation of the attribute definition, but details, including OID, can be found here: <>. 
It was also used by a Sun product (Delegated Administration) with another definition and semantic. 

This is why we choose in Sun Directory Server, OpenDS and now OpenDJ to have a properly defined attribute with a different name: isMemberOf, operational and read-only.

My 2 cents,


Ludovic Poitou

From: Michael Ströder <>
Reply: Michael Ströder <>>
Date: 27 Apr 2015 at 22:43:41
To: Andrew Findlay <>>
Cc: <>>
Subject:  Re: Ldap challenge

Andrew Findlay wrote:
> On Mon, Apr 27, 2015 at 06:27:39PM +0000, Ross, Daniel B. wrote:
>> ismemberof does not exist we have to use memberof
> Memberof is fairly common. I don't think I have ever found a system
> that used 'ismemberof'.

'isMemberOf' is used on Sun/Oracle DSSE, Netscape/Fedora/389-DS and OpenDS/OpenDJ.

'memberOf' was originally defined in MS Active Directory and is used as
default in slapo-memberof. It's configurable though.

Ciao, Michael.