[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8825) slapo-memberof: memberof-memberof-ad doesn't work correctly

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8825) slapo-memberof: memberof-memberof-ad doesn't work correctly
From: hyc@symas.com
Date: Tue, 27 Mar 2018 23:14:49 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

quanah@openldap.org wrote:
> Full_Name: Quanah Gibson-Mount
> Version: 2.4.45
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (47.208.148.239)
> 
> 
> Per the slapo-memberof man page, you can define a different attribute than
> "memberOf" to hold the group membership information for an entry.
> 
> However, this fails due to the fact that when a different attribute is used,
> slapd applies objectClass rule requirements to the entry.  slapd does *not* do
> this when the default value of "memberOf" is used.

That's because memberOf is an operational attribute, so objectclass 
requirements don't apply. If you want to use some other attribute, make sure 
the schema allows it in the relevant entries, or use an operational attribute.

Not a bug. Closing this ITS.
> 
> Example config:
> 
>   overlay memberof
>   memberof-group-oc groupofuniquenames
>   memberof-member-ad uniquemember
>   memberof-memberof-ad ismemberof
> 
> Example schema:
> 
> attributetype ( 2.15.930.3.234225.3.1
>          NAME 'isMemberOf'
>          DESC 'Sun defined attribute type'
>          EQUALITY distinguishedNameMatch
>          SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
>          X-ORIGIN 'Sun Directory Server' )
> 
> Create a group:
> 
>   dn: cn=mygroup,dc=example,dc=com
>   objectClass: top
>   objectClass: groupOfUniqueNames
>   cn: mygroup
>   uniqueMember: cn=La Valko,ou=Peons,dc=example,dc=com
> 
> Group creates OK, but:
> 
> slapd[5149]: Entry (cn=La Valko,ou=Peons,dc=example,dc=com), attribute
> 'isMemberOf' not allowed
> slapd[5149]: entry failed schema check: attribute 'isMemberOf' not allowed
> slapd[5149]: conn=1000 op=19: memberof_value_modify DN="cn=la
> valko,ou=peons,dc=example,dc=com" add isMemberOf="cn=mygroup,dc=example,dc=com"
> failed err=65
> 
> 
> 
> 


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: (ITS#8825) slapo-memberof: memberof-memberof-ad doesn't work correctly
Next by Date: Re: (ITS#8825) slapo-memberof: memberof-memberof-ad doesn't work correctly
Index(es):
- Chronological
- Thread