Hi,
I am running OpenLDAP server on Ubuntu 18.
The memberOf attribute is not showing in ldap simple search, if I do the following then memberOf attribute is hidden.
*ldapsearch -Y external -H ldapi:/// -b dc=example,dc=com* # udraz, Users, example.com http://lablynx.com/ dn: uid=udraz,ou=Users,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: udraz sn: Draz givenName: Umar mail: udraz@example.com cn: Umar Draz displayName: Umar Draz uidNumber: 5000 gidNumber: 5000 gecos: Umar Draz loginShell: /bin/bash homeDirectory: /home/udraz
But if I do the following then memberOf attribute appear
*ldapsearch -Y external -H ldapi:/// -b dc=example,dc=com memberOf* # udraz, Users, example.com dn: uid=udraz,ou=Users,dc=example,dc=com memberOf: cn=developers,ou=Users,dc=example,dc=com
Would you please help me how to solve this
On 9/2/20 3:26 PM, Umar Draz wrote:
Hi,
I am running OpenLDAP server on Ubuntu 18.
*ldapsearch -Y external -H ldapi:/// -b dc=example,dc=com memberOf*
# udraz, Users, example.com http://example.com/ dn: uid=udraz,ou=Users,dc=example,dc=com memberOf: cn=developers,ou=Users,dc=example,dc=com
Would you please help me how to solve this
memberOf is an operational attribute; you either have to specify it directly or use + to return all operationals.
It's mentioned in ldapsearch manual as well.
Michal Soltys msoltyspl@yandex.pl schrieb am 02.09.2020 um 17:22 in Nachricht
3ab77434-434a-0d46-16b5-0917e7dc3995@yandex.pl:
On 9/2/20 3:26 PM, Umar Draz wrote:
Hi,
I am running OpenLDAP server on Ubuntu 18.
*ldapsearch -Y external -H ldapi:/// -b dc=example,dc=com memberOf*
# udraz, Users, example.com http://example.com/ dn: uid=udraz,ou=Users,dc=example,dc=com memberOf: cn=developers,ou=Users,dc=example,dc=com
Would you please help me how to solve this
memberOf is an operational attribute; you either have to specify it directly or use + to return all operationals.
It's mentioned in ldapsearch manual as well.
Hi!
I thought operational attributes are mainly for "internal management purposes". Are there any rules what makes an attribute operational? I don't mean the implementation that makes them operational, but guidelines.
Regards, Ulrich
--On Thursday, September 3, 2020 9:26 AM +0200 Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de wrote:
I thought operational attributes are mainly for "internal management purposes". Are there any rules what makes an attribute operational?
Depends on the attribute. Most are defined such via RFC. In the case of memberOf, there is no RFC, so we match how Microsoft has set the attribute, since they originated it. They marked it operational.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
To add to Quanah's right statement:
Generally operational attributes are those attributes that are managed by the server and not by the clients, e.g. modifyTimeStamp etc. Since the server manages memberOf on the fly (based on the client managed member attribute in group objects) it is IMO rightly marked as operational.
Cheers,
Peter
Am 03.09.20 um 17:16 schrieb Quanah Gibson-Mount:
--On Thursday, September 3, 2020 9:26 AM +0200 Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de wrote:
I thought operational attributes are mainly for "internal management purposes". Are there any rules what makes an attribute operational?
Depends on the attribute. Most are defined such via RFC. In the case of memberOf, there is no RFC, so we match how Microsoft has set the attribute, since they originated it. They marked it operational.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Peter Gietz peter.gietz@daasi.de schrieb am 09.09.2020 um 17:45 in
Nachricht 936a57a3-58ec-9ccd-105d-8e1e2b2749c9@daasi.de:
To add to Quanah's right statement:
Generally operational attributes are those attributes that are managed by the server and not by the clients, e.g. modifyTimeStamp etc. Since the server manages memberOf on the fly (based on the client managed member attribute in group objects) it is IMO rightly marked as operational.
Hi!
That is one aspect; the other aspect is "who _uses_ the attribute?". Typically clients don't care about modifyTimeStamp (maybe even they are not allowed to read it), but obviously memberOf is something the client cares about, because it'S essential information.
Regards, Ulrich
Cheers,
Peter
Am 03.09.20 um 17:16 schrieb Quanah Gibson-Mount:
--On Thursday, September 3, 2020 9:26 AM +0200 Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de wrote:
I thought operational attributes are mainly for "internal management purposes". Are there any rules what makes an attribute operational?
Depends on the attribute. Most are defined such via RFC. In the case of memberOf, there is no RFC, so we match how Microsoft has set the attribute, since they originated it. They marked it operational.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--
Peter Gietz, CEO
DAASI International GmbH Europaplatz 3 D-72072 Tübingen Germany
phone: +49 7071 407109-0 fax: +49 7071 407109-9 email: peter.gietz@daasi.de web: www.daasi.de
Sitz der Gesellschaft: Tübingen Registergericht: Amtsgericht Stuttgart, HRB 382175 Geschäftsleitung: Peter Gietz
--On Thursday, September 10, 2020 10:13 AM +0200 Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de wrote:
That is one aspect; the other aspect is "who _uses_ the attribute?". Typically clients don't care about modifyTimeStamp (maybe even they are not allowed to read it), but obviously memberOf is something the client cares about, because it'S essential information.
There are plenty of attributes that are used by clients that are operational (much of ppolicy for example). And there are many clients that *do* make use of things like modifyTimeStamp, to find all entries modified after X point in time.
In any case, if you feel memberOf should not be operational, feel free to argue this point with Microsoft. ;)
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On 9/10/20 9:13 AM, Ulrich Windl wrote:
Typically clients don't care about modifyTimeStamp (maybe even they are not allowed to read it),
If you run sssd as NSS/PAM demon then have a look in your logs: sssd uses modifyTimeStamp for searching recently modified entries.
And many other clients do this too.
Anyway LDAP clients should always explicitly request the attributes they really use to avoid unneeded data being transferred. Whether those are user or operational attributes does not matter.
Ciao, Michael.
Am Wed, 2 Sep 2020 18:26:52 +0500 schrieb Umar Draz unix.co@gmail.com:
Hi,
I am running OpenLDAP server on Ubuntu 18.
The memberOf attribute is not showing in ldap simple search, if I do the following then memberOf attribute is hidden.
*ldapsearch -Y external -H ldapi:/// -b dc=example,dc=com* # udraz, Users, example.com http://lablynx.com/ dn: uid=udraz,ou=Users,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: udraz sn: Draz givenName: Umar mail: udraz@example.com cn: Umar Draz displayName: Umar Draz uidNumber: 5000 gidNumber: 5000 gecos: Umar Draz loginShell: /bin/bash homeDirectory: /home/udraz
But if I do the following then memberOf attribute appear
*ldapsearch -Y external -H ldapi:/// -b dc=example,dc=com memberOf* # udraz, Users, example.com dn: uid=udraz,ou=Users,dc=example,dc=com memberOf: cn=developers,ou=Users,dc=example,dc=com
Would you please help me how to solve this
The memberof attribute type is a, on the fly generated, operational attribute.
-Dieter
openldap-technical@openldap.org
-
Dieter Klünter -
Michael Ströder -
Michal Soltys -
Peter Gietz -
Quanah Gibson-Mount -
Ulrich Windl -
Umar Draz