Re: memberOf hidden?

[Pierangelo Masarati <ando@sys-net.it>]

Andrew Bartlett wrote:
> One of the odd things I've noticed since moving to OpenLDAP managing
> memberOf is that memberOf is a hidden attribute by default.  Is that
> because it is treated as operational (due to being managed by the
> module)?
> 
> I can un-hide it for Samba (I have code that adds a list of attributes
> to any query for *), but I just wanted to check there wasn't a more
> elegant way to do it.  

It is hidden because, due to design considerations, the memberof (or any
reverse membership link) has to be operational, and OpenLDAP does only
return user attributes if the attribute list is empty or equal to "*".

I think it MUST be operational because any class of entries must be
allowed to be listed as member of a group; thus, the memberOf attribute
has to be allowed by any objectClass.  The only valid option would have
been to add the extensibleObject class to all group members, and I
didn't consider this a viable option.  Moreover, it is by no means a
user attribute, since it is maintained by the DSA (and the user must not
be allowed to much with it).

For those reasons, I believe returning it by default has to be an
option, since it seems definitely appropriate to require a client to
explicitly request it.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------