Andrew Bartlett wrote:
One of the odd things I've noticed since moving to OpenLDAP managing memberOf is that memberOf is a hidden attribute by default. Is that because it is treated as operational (due to being managed by the module)?
I can un-hide it for Samba (I have code that adds a list of attributes to any query for *), but I just wanted to check there wasn't a more elegant way to do it.
It is hidden because, due to design considerations, the memberof (or any reverse membership link) has to be operational, and OpenLDAP does only return user attributes if the attribute list is empty or equal to "*".
I think it MUST be operational because any class of entries must be allowed to be listed as member of a group; thus, the memberOf attribute has to be allowed by any objectClass. The only valid option would have been to add the extensibleObject class to all group members, and I didn't consider this a viable option. Moreover, it is by no means a user attribute, since it is maintained by the DSA (and the user must not be allowed to much with it).
For those reasons, I believe returning it by default has to be an option, since it seems definitely appropriate to require a client to explicitly request it.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------