[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8825) slapo-memberof: memberof-memberof-ad doesn't work correctly

To: openldap-its@OpenLDAP.org
Subject: (ITS#8825) slapo-memberof: memberof-memberof-ad doesn't work correctly
From: quanah@openldap.org
Date: Tue, 27 Mar 2018 22:49:52 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Quanah Gibson-Mount
Version: 2.4.45
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (47.208.148.239)


Per the slapo-memberof man page, you can define a different attribute than
"memberOf" to hold the group membership information for an entry.

However, this fails due to the fact that when a different attribute is used,
slapd applies objectClass rule requirements to the entry.  slapd does *not* do
this when the default value of "memberOf" is used.

Example config:

 overlay memberof
 memberof-group-oc groupofuniquenames
 memberof-member-ad uniquemember
 memberof-memberof-ad ismemberof

Example schema:

attributetype ( 2.15.930.3.234225.3.1
        NAME 'isMemberOf'
        DESC 'Sun defined attribute type'
        EQUALITY distinguishedNameMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
        X-ORIGIN 'Sun Directory Server' )

Create a group:

 dn: cn=mygroup,dc=example,dc=com
 objectClass: top
 objectClass: groupOfUniqueNames
 cn: mygroup
 uniqueMember: cn=La Valko,ou=Peons,dc=example,dc=com

Group creates OK, but:

slapd[5149]: Entry (cn=La Valko,ou=Peons,dc=example,dc=com), attribute
'isMemberOf' not allowed
slapd[5149]: entry failed schema check: attribute 'isMemberOf' not allowed
slapd[5149]: conn=1000 op=19: memberof_value_modify DN="cn=la
valko,ou=peons,dc=example,dc=com" add isMemberOf="cn=mygroup,dc=example,dc=com"
failed err=65

Prev by Date: (ITS#8824) openldap-2.4.46/libraries/liblmdb/mdb_dump.c:136]: (style) Suspicious condition
Next by Date: Re: (ITS#8825) slapo-memberof: memberof-memberof-ad doesn't work correctly
Index(es):
- Chronological
- Thread