8825 – slapo-memberof: memberof-memberof-ad doesn't work correctly

Issue 8825 - slapo-memberof: memberof-memberof-ad doesn't work correctly

Summary: slapo-memberof: memberof-memberof-ad doesn't work correctly

Status:	VERIFIED WONTFIX

Alias:	None

Product:	OpenLDAP
Classification:	Unclassified
Component:	overlays (show other issues)
Version:	2.4.45
Hardware:	All All

Importance:	--- normal
Target Milestone:	---
Assignee:	OpenLDAP project

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-03-27 22:49 UTC by Quanah Gibson-Mount
Modified:	2021-02-22 18:34 UTC (History)
CC List:	0 users

See Also:	8770 8826

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description Quanah Gibson-Mount 2018-03-27 22:49:52 UTC

Full_Name: Quanah Gibson-Mount
Version: 2.4.45
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (47.208.148.239)


Per the slapo-memberof man page, you can define a different attribute than
"memberOf" to hold the group membership information for an entry.

However, this fails due to the fact that when a different attribute is used,
slapd applies objectClass rule requirements to the entry.  slapd does *not* do
this when the default value of "memberOf" is used.

Example config:

 overlay memberof
 memberof-group-oc groupofuniquenames
 memberof-member-ad uniquemember
 memberof-memberof-ad ismemberof

Example schema:

attributetype ( 2.15.930.3.234225.3.1
        NAME 'isMemberOf'
        DESC 'Sun defined attribute type'
        EQUALITY distinguishedNameMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
        X-ORIGIN 'Sun Directory Server' )

Create a group:

 dn: cn=mygroup,dc=example,dc=com
 objectClass: top
 objectClass: groupOfUniqueNames
 cn: mygroup
 uniqueMember: cn=La Valko,ou=Peons,dc=example,dc=com

Group creates OK, but:

slapd[5149]: Entry (cn=La Valko,ou=Peons,dc=example,dc=com), attribute
'isMemberOf' not allowed
slapd[5149]: entry failed schema check: attribute 'isMemberOf' not allowed
slapd[5149]: conn=1000 op=19: memberof_value_modify DN="cn=la
valko,ou=peons,dc=example,dc=com" add isMemberOf="cn=mygroup,dc=example,dc=com"
failed err=65

Comment 1 Howard Chu 2018-03-27 23:14:39 UTC

quanah@openldap.org wrote:
> Full_Name: Quanah Gibson-Mount
> Version: 2.4.45
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (47.208.148.239)
> 
> 
> Per the slapo-memberof man page, you can define a different attribute than
> "memberOf" to hold the group membership information for an entry.
> 
> However, this fails due to the fact that when a different attribute is used,
> slapd applies objectClass rule requirements to the entry.  slapd does *not* do
> this when the default value of "memberOf" is used.

That's because memberOf is an operational attribute, so objectclass 
requirements don't apply. If you want to use some other attribute, make sure 
the schema allows it in the relevant entries, or use an operational attribute.

Not a bug. Closing this ITS.
> 
> Example config:
> 
>   overlay memberof
>   memberof-group-oc groupofuniquenames
>   memberof-member-ad uniquemember
>   memberof-memberof-ad ismemberof
> 
> Example schema:
> 
> attributetype ( 2.15.930.3.234225.3.1
>          NAME 'isMemberOf'
>          DESC 'Sun defined attribute type'
>          EQUALITY distinguishedNameMatch
>          SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
>          X-ORIGIN 'Sun Directory Server' )
> 
> Create a group:
> 
>   dn: cn=mygroup,dc=example,dc=com
>   objectClass: top
>   objectClass: groupOfUniqueNames
>   cn: mygroup
>   uniqueMember: cn=La Valko,ou=Peons,dc=example,dc=com
> 
> Group creates OK, but:
> 
> slapd[5149]: Entry (cn=La Valko,ou=Peons,dc=example,dc=com), attribute
> 'isMemberOf' not allowed
> slapd[5149]: entry failed schema check: attribute 'isMemberOf' not allowed
> slapd[5149]: conn=1000 op=19: memberof_value_modify DN="cn=la
> valko,ou=peons,dc=example,dc=com" add isMemberOf="cn=mygroup,dc=example,dc=com"
> failed err=65
> 
> 
> 
> 


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Comment 2 Quanah Gibson-Mount 2018-03-27 23:59:58 UTC

--On Wednesday, March 28, 2018 1:14 AM +0100 Howard Chu <hyc@symas.com> 
wrote:

> That's because memberOf is an operational attribute, so objectclass
> requirements don't apply. If you want to use some other attribute, make
> sure the schema allows it in the relevant entries, or use an operational
> attribute.
>
> Not a bug. Closing this ITS.

For historical purposes, it is a bit more complex than this.

It is not possible to include an operational attribute via the normal 
schema methods.  This depends on the "dsaschema" contrib overlay.  That 
contrib overlay requires development to support cn=config.

The alternative to using an operational attribute is to have a custom 
objectClass where the custom attribute desired is defined as an optional 
("MAY") attribute.

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>