On Fri, 2008-01-11 at 17:57 +0100, Pierangelo Masarati wrote: > Andrew Bartlett wrote: > > One of the odd things I've noticed since moving to OpenLDAP managing > > memberOf is that memberOf is a hidden attribute by default. Is that > > because it is treated as operational (due to being managed by the > > module)? > > > > I can un-hide it for Samba (I have code that adds a list of attributes > > to any query for *), but I just wanted to check there wasn't a more > > elegant way to do it. > > It is hidden because, due to design considerations, the memberof (or any > reverse membership link) has to be operational, and OpenLDAP does only > return user attributes if the attribute list is empty or equal to "*". > > I think it MUST be operational because any class of entries must be > allowed to be listed as member of a group; thus, the memberOf attribute > has to be allowed by any objectClass. The only valid option would have > been to add the extensibleObject class to all group members, and I > didn't consider this a viable option. I was about to argue that memberOf should just be in the normal schema, and that normal schema checks should apply. But Microsoft puts 'memberOf' in their 'top', so aside from being hidden, it seems perfectly appropriate to be a operational attribute... > Moreover, it is by no means a > user attribute, since it is maintained by the DSA (and the user must not > be allowed to much with it). > > For those reasons, I believe returning it by default has to be an > option, since it seems definitely appropriate to require a client to > explicitly request it. If there is a way to make it appear by default, I would appreciate it. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc.
Description: This is a digitally signed message part