[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8825) slapo-memberof: memberof-memberof-ad doesn't work correctly

Full_Name: Quanah Gibson-Mount
Version: 2.4.45
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

Per the slapo-memberof man page, you can define a different attribute than
"memberOf" to hold the group membership information for an entry.

However, this fails due to the fact that when a different attribute is used,
slapd applies objectClass rule requirements to the entry.  slapd does *not* do
this when the default value of "memberOf" is used.

Example config:

 overlay memberof
 memberof-group-oc groupofuniquenames
 memberof-member-ad uniquemember
 memberof-memberof-ad ismemberof

Example schema:

attributetype ( 2.15.930.3.234225.3.1
        NAME 'isMemberOf'
        DESC 'Sun defined attribute type'
        EQUALITY distinguishedNameMatch
        X-ORIGIN 'Sun Directory Server' )

Create a group:

 dn: cn=mygroup,dc=example,dc=com
 objectClass: top
 objectClass: groupOfUniqueNames
 cn: mygroup
 uniqueMember: cn=La Valko,ou=Peons,dc=example,dc=com

Group creates OK, but:

slapd[5149]: Entry (cn=La Valko,ou=Peons,dc=example,dc=com), attribute
'isMemberOf' not allowed
slapd[5149]: entry failed schema check: attribute 'isMemberOf' not allowed
slapd[5149]: conn=1000 op=19: memberof_value_modify DN="cn=la
valko,ou=peons,dc=example,dc=com" add isMemberOf="cn=mygroup,dc=example,dc=com"
failed err=65