Re: memberOf hidden?

[Pierangelo Masarati <ando@sys-net.it>]

Andrew Bartlett wrote:
> On Tue, 2008-01-15 at 21:46 -0800, Quanah Gibson-Mount wrote:
>> --On Wednesday, January 16, 2008 4:31 PM +1100 Andrew Bartlett 
>> <abartlet@samba.org> wrote:
>>
>>
>>> Then it just works, and I don't have to do an extra fish for this
>>> particular operational attribute.
>> I'm somewhat curious why "memberOf" the attribute would be operational. 
>> "member" isn't, and it is of a similar vein..
> 
> In the AD aggregate schema they are marked:
> 
> attributeTypes: ( 1.2.840.113556.1.2.102 NAME 'memberOf' SYNTAX
> '1.3.6.1.4.1.1466.115.121.1.12' NO-USER-MODIFICATION )
> attributeTypes: ( 2.5.4.31 NAME 'member' SYNTAX
> '1.3.6.1.4.1.1466.115.121.1.12' )
> 
> 'memberOf' is the end that is calculated, while 'member' is the end
> being modified by the administrator. 

I wanted the attribute playing the role of "memberOf" operational for
two reasons:

- so that it can apply to any object without the need to be allowed by
its objectClass chain and without the need to add the extensibleObject
class, or the need to define and add an extra "canBeMemberOfGroup" class

- because it is managed by the DSA

There are other solutions, like the one I mentioned in the first place.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------