Full_Name: Quanah Gibson-Mount Version: 2.4.45 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (47.208.148.239) Per the slapo-memberof man page, you can define a different attribute than "memberOf" to hold the group membership information for an entry. However, this fails due to the fact that when a different attribute is used, slapd applies objectClass rule requirements to the entry. slapd does *not* do this when the default value of "memberOf" is used. Example config: overlay memberof memberof-group-oc groupofuniquenames memberof-member-ad uniquemember memberof-memberof-ad ismemberof Example schema: attributetype ( 2.15.930.3.234225.3.1 NAME 'isMemberOf' DESC 'Sun defined attribute type' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'Sun Directory Server' ) Create a group: dn: cn=mygroup,dc=example,dc=com objectClass: top objectClass: groupOfUniqueNames cn: mygroup uniqueMember: cn=La Valko,ou=Peons,dc=example,dc=com Group creates OK, but: slapd[5149]: Entry (cn=La Valko,ou=Peons,dc=example,dc=com), attribute 'isMemberOf' not allowed slapd[5149]: entry failed schema check: attribute 'isMemberOf' not allowed slapd[5149]: conn=1000 op=19: memberof_value_modify DN="cn=la valko,ou=peons,dc=example,dc=com" add isMemberOf="cn=mygroup,dc=example,dc=com" failed err=65
quanah@openldap.org wrote: > Full_Name: Quanah Gibson-Mount > Version: 2.4.45 > OS: Linux > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (47.208.148.239) > > > Per the slapo-memberof man page, you can define a different attribute than > "memberOf" to hold the group membership information for an entry. > > However, this fails due to the fact that when a different attribute is used, > slapd applies objectClass rule requirements to the entry. slapd does *not* do > this when the default value of "memberOf" is used. That's because memberOf is an operational attribute, so objectclass requirements don't apply. If you want to use some other attribute, make sure the schema allows it in the relevant entries, or use an operational attribute. Not a bug. Closing this ITS. > > Example config: > > overlay memberof > memberof-group-oc groupofuniquenames > memberof-member-ad uniquemember > memberof-memberof-ad ismemberof > > Example schema: > > attributetype ( 2.15.930.3.234225.3.1 > NAME 'isMemberOf' > DESC 'Sun defined attribute type' > EQUALITY distinguishedNameMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 > X-ORIGIN 'Sun Directory Server' ) > > Create a group: > > dn: cn=mygroup,dc=example,dc=com > objectClass: top > objectClass: groupOfUniqueNames > cn: mygroup > uniqueMember: cn=La Valko,ou=Peons,dc=example,dc=com > > Group creates OK, but: > > slapd[5149]: Entry (cn=La Valko,ou=Peons,dc=example,dc=com), attribute > 'isMemberOf' not allowed > slapd[5149]: entry failed schema check: attribute 'isMemberOf' not allowed > slapd[5149]: conn=1000 op=19: memberof_value_modify DN="cn=la > valko,ou=peons,dc=example,dc=com" add isMemberOf="cn=mygroup,dc=example,dc=com" > failed err=65 > > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
--On Wednesday, March 28, 2018 1:14 AM +0100 Howard Chu <hyc@symas.com> wrote: > That's because memberOf is an operational attribute, so objectclass > requirements don't apply. If you want to use some other attribute, make > sure the schema allows it in the relevant entries, or use an operational > attribute. > > Not a bug. Closing this ITS. For historical purposes, it is a bit more complex than this. It is not possible to include an operational attribute via the normal schema methods. This depends on the "dsaschema" contrib overlay. That contrib overlay requires development to support cn=config. The alternative to using an operational attribute is to have a custom objectClass where the custom attribute desired is defined as an optional ("MAY") attribute. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>