Andrew Bartlett wrote:
On Tue, 2008-01-15 at 21:46 -0800, Quanah Gibson-Mount wrote:
--On Wednesday, January 16, 2008 4:31 PM +1100 Andrew Bartlett abartlet@samba.org wrote:
Then it just works, and I don't have to do an extra fish for this particular operational attribute.
I'm somewhat curious why "memberOf" the attribute would be operational. "member" isn't, and it is of a similar vein..
In the AD aggregate schema they are marked:
attributeTypes: ( 1.2.840.113556.1.2.102 NAME 'memberOf' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' NO-USER-MODIFICATION ) attributeTypes: ( 2.5.4.31 NAME 'member' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' )
'memberOf' is the end that is calculated, while 'member' is the end being modified by the administrator.
I wanted the attribute playing the role of "memberOf" operational for two reasons:
- so that it can apply to any object without the need to be allowed by its objectClass chain and without the need to add the extensibleObject class, or the need to define and add an extra "canBeMemberOfGroup" class
- because it is managed by the DSA
There are other solutions, like the one I mentioned in the first place.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------