inetOrgPerson with member or memberOf?

ldap openldap
16,617

Solution 1

If you're using OpenLDAP you need to use the 'memberof' overlay, which maintains a real 'memberOf' attribute among the operational attributes.

Note that it won't affect memberships that already exist, only new ones from when you first load the overlay. See the OpenLDAP documentation.

Solution 2

Depending on the server in use, memberOf might be a virtual attribute and would not be listed in the entry, but rather is generated by the server. Some other servers use isMemberOf instead of memberOf. memberOf or isMemberOf would be generated upon request by server.

One could search:

ldapsearch -h hostname -p port \
   -b dc=example,dc=com -s sub \
   '(memberOf=cn=users,o=foo,dc=example,dc=com)'

or

ldapsearch -h hostname -p port \
   -b dc=example,dc=com -s sub \
   '(isMemberOf=cn=users,o=foo,dc=example,dc=com)'

to get the distinguished names that are members of cn=users,o=foo,dc=example,dc=com.

To get the groups of which a known distinguished name is a member:

ldapsearch -h hostname -p port \
   -b dc=example,dc=com -s sub \
   '(cn=Joe User)' isMemberOf

or

ldapsearch -h hostname -p port \
   -b dc=example,dc=com -s sub \
   '(cn=Joe User)' memberOf

The object class violation occurs because groupofNames and inetOrgPerson are both structural object classes. Only one structural object class is permitted per object. Some broken directory servers (DSEE for example) will allow multiple structural object classes per object, though. In one of your examples it appears the person and inetOrgPerson are in the same object together, this is a different case because inetOrgPerson is a descendant of person.

Share:
16,617

Related videos on Youtube

Roman C
Author by

Roman C

Programming Java If you need to read more about me you'd read my profile on linkedin.com.

Updated on June 04, 2022

Comments

  • Roman C
    Roman C almost 2 years

    What works

    Suppose I have inetOrgPersons in ou=people,dc=example,dc=com. Example:

    dn: cn=John Doe,ou=people,dc=example,dc=com
objectClass: inetOrgPerson (structural)
objectClass: person (structural)
objectClass: top (abstract)
cn: John Doe
sn: Doe
givenName: John
mail: [email protected]
uid: john.doe

    In addition I have several organizations:

    dn: o=foo,dc=example,dc=com
objectClass: organization (structural)
objectClass:top (abstract)
o: foo

dn: o=bar,dc=example,dc=com
objectClass: organization (structural)
objectClass:top (abstract)
o: bar

    For each organization there is a groupOfNames:

    dn: cn=users,o=foo,dc=example,dc=com
objectClass:groupOfNames (structural)
cn: users
member: cn=John Doe,ou=people,dc=example,dc=com

dn: cn=users,o=bar,dc=example,dc=com
objectClass:groupOfNames (structural)
cn: users

    As you can see, cn=John Doe,ou=people,dc=example,dc=com is listed as a member of cn=users,o=foo,dc=example,dc=com but not of dn: cn=users,o=bar,dc=example,dc=com.

    Problem

    I want to note membership at the inetOrgPersons, too.

    memberOf is not in the schemas I currently use for a user. Is there any schema available that provides memberOf?

    member is part of groupOfNames but this objectClass conflicts with inetOrgPerson:

    [LDAP: error code 65 - invalid structural object class chain (inetOrgPerson/groupOfNames)]

    Question

    How can I note the membership in cn=users,o=foo,dc=example,dc=com on cn=John Doe,ou=people,dc=example,dc=com?

  • Admin
    Admin over 10 years
    Thank you for your answer, it helps me to understand more about LDAP :) OpenLDAP 2.3 seems not support these virtual attributes. Both member and isMemberOf return nothing in both kinds of searches.
  • Terry Gardner
    Terry Gardner over 10 years
    I'm almost sure it does support one of those, it might be an overlay. Consult the OpenLDAP docs.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What are the other alternative to test a LDAP connection on linux machine
Nested Group LDAP Search Filter
How to add rights to an user with olcAccess, in an OpenLDAP 2.4
I need to find out disabled users from ldap
Is there an LDAP standard group membership attribute for users?
Decrypting OpenLDAP passwords
LDAPSEARCH into table format
Python ldap3 LDAPSocketOpenError unable to send message, socket is not open
Using LDAPSEARCH to return all Groups and OU's in an Active Directory domain
Ubuntu 13.04: LDAP invalid credentials