I have been trying to include the memberOf attribute in a new objectClass. If I just set it to "MAY" (for example), it complains about using an operational attribute in my definition. I have seen quite a few Q&As about this, but I am really trying to understand where this issue is originating. Maybe I haven't looked at the right one yet. OpenDJ has the ability to utilize it in custom classes, so I was hoping to be able to also do the same in OpenLDAP. Thoughts?
Am Thu, 27 Mar 2014 13:45:34 -0400 schrieb Brad Hartlove bradley.hartlove@g2-inc.com:
I have been trying to include the memberOf attribute in a new objectClass. If I just set it to "MAY" (for example), it complains about using an operational attribute in my definition. I have seen quite a few Q&As about this, but I am really trying to understand where this issue is originating. Maybe I haven't looked at the right one yet. OpenDJ has the ability to utilize it in custom classes, so I was hoping to be able to also do the same in OpenLDAP. Thoughts?
man slapo-memberof(5)
-Dieter
Ok, so RTFM does no good for the question I am asking. Honestly, I don't need a LMGTFU or more of the slapo-memberof. I have read these dozens of times and nowhere have I found a valid or even acceptable answer to my question. The core problem is why can I not add the operational attribute to my custom objectclass. Nowhere in the man page addresses this. If this question is not worth answering, no sweat.
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Dieter Klünter Sent: Thursday, March 27, 2014 2:20 PM To: openldap-technical@openldap.org Subject: Re: memberof in openldap
Am Thu, 27 Mar 2014 13:45:34 -0400 schrieb Brad Hartlove bradley.hartlove@g2-inc.com:
I have been trying to include the memberOf attribute in a new objectClass. If I just set it to "MAY" (for example), it complains about using an operational attribute in my definition. I have seen quite a few Q&As about this, but I am really trying to understand where this issue is originating. Maybe I haven't looked at the right one yet. OpenDJ has the ability to utilize it in custom classes, so I was hoping to be able to also do the same in OpenLDAP. Thoughts?
man slapo-memberof(5)
-Dieter
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
Brad Hartlove wrote:
The core problem is why can I not add the operational attribute to my custom objectclass.
Operational attributes are simply not normal user attributes.
If your LDAP client is supposed to alter an attribute via LDAP it has to be a user attribute. Period.
Ciao, Michael.
Michael Ströder wrote:
Brad Hartlove wrote:
The core problem is why can I not add the operational attribute to my custom objectclass.
Operational attributes are simply not normal user attributes.
If your LDAP client is supposed to alter an attribute via LDAP it has to be a user attribute. Period.
That's only a partial answer.
Brad, the answer is "go read the LDAP spec" - operational attributes are never part of any objectclass definition, and the server is free to use them in any entry regardless of objectclass.
The OpenLDAP manpages are not here to teach you the basics of LDAP. You're expected to read the specs and know the basics of LDAP.
Brad Hartlove wrote:
I have been trying to include the memberOf attribute in a new objectClass. If I just set it to "MAY" (for example), it complains about using an operational attribute in my definition. I have seen quite a few Q&As about this, but I am really trying to understand where this issue is originating. Maybe I haven't looked at the right one yet. OpenDJ has the ability to utilize it in custom classes, so I was hoping to be able to also do the same in OpenLDAP. Thoughts?
I think there's a lot of confusion about this attribute:
1. 'memberOf' appeared first in MS AD where it's a simple back-link to group entries the entry is *direct* member of. In AD's schema it's not marked as operational attribute like all other operational attributes in AD. ;-)
2. OpenLDAP's slapo-memberof implements exactly the same behaviour like MS AD but the attribute type description correctly marks it with dSAOperation.
3. SunDS, OpenDJ, 389-DS implement the same semantics but IIRC they use the attribute 'isMemberOf'.
4. FreeIPA is abusing attribute 'memberOf' - with same OID like in MS AD (yuck!) - as normal user attribute to describe (server) group membership. For various reasons this sucks but anyway...
=> I'd recommend to define your own custom attribute with clear semantics and not re-use 'memberOf' in your custom object class.
Or is there any reason why you insist to step into this trap?
Ciao, Michael.
openldap-technical@openldap.org
-
Brad Hartlove -
Dieter Klünter -
Howard Chu -
Michael Ströder