inetOrgPerson with member or memberOf?

Asked 5/12, 2013 at 10:45 Answered 5/12, 2013 at 21:49

What works

Suppose I have inetOrgPersons in ou=people,dc=example,dc=com. Example:

dn: cn=John Doe,ou=people,dc=example,dc=com
objectClass: inetOrgPerson (structural)
objectClass: person (structural)
objectClass: top (abstract)
cn: John Doe
sn: Doe
givenName: John
mail: [email protected]
uid: john.doe

In addition I have several organizations:

dn: o=foo,dc=example,dc=com
objectClass: organization (structural)
objectClass:top (abstract)
o: foo

dn: o=bar,dc=example,dc=com
objectClass: organization (structural)
objectClass:top (abstract)
o: bar

For each organization there is a groupOfNames:

dn: cn=users,o=foo,dc=example,dc=com
objectClass:groupOfNames (structural)
cn: users
member: cn=John Doe,ou=people,dc=example,dc=com

dn: cn=users,o=bar,dc=example,dc=com
objectClass:groupOfNames (structural)
cn: users

As you can see, cn=John Doe,ou=people,dc=example,dc=com is listed as a member of cn=users,o=foo,dc=example,dc=com but not of dn: cn=users,o=bar,dc=example,dc=com.

Problem

I want to note membership at the inetOrgPersons, too.

memberOf is not in the schemas I currently use for a user. Is there any schema available that provides memberOf?

member is part of groupOfNames but this objectClass conflicts with inetOrgPerson:

[LDAP: error code 65 - invalid structural object class chain (inetOrgPerson/groupOfNames)]

Question

How can I note the membership in cn=users,o=foo,dc=example,dc=com on cn=John Doe,ou=people,dc=example,dc=com?

Melinamelinda answered 5/12, 2013 at 10:45 Comment(0)

If you're using OpenLDAP you need to use the 'memberof' overlay, which maintains a real 'memberOf' attribute among the operational attributes.

Note that it won't affect memberships that already exist, only new ones from when you first load the overlay. See the OpenLDAP documentation.

Houseman answered 5/12, 2013 at 21:49 Comment(0)

Depending on the server in use, memberOf might be a virtual attribute and would not be listed in the entry, but rather is generated by the server. Some other servers use isMemberOf instead of memberOf. memberOf or isMemberOf would be generated upon request by server.

One could search:

ldapsearch -h hostname -p port \
   -b dc=example,dc=com -s sub \
   '(memberOf=cn=users,o=foo,dc=example,dc=com)'

ldapsearch -h hostname -p port \
   -b dc=example,dc=com -s sub \
   '(isMemberOf=cn=users,o=foo,dc=example,dc=com)'

to get the distinguished names that are members of cn=users,o=foo,dc=example,dc=com.

To get the groups of which a known distinguished name is a member:

ldapsearch -h hostname -p port \
   -b dc=example,dc=com -s sub \
   '(cn=Joe User)' isMemberOf

ldapsearch -h hostname -p port \
   -b dc=example,dc=com -s sub \
   '(cn=Joe User)' memberOf

The object class violation occurs because groupofNames and inetOrgPerson are both structural object classes. Only one structural object class is permitted per object. Some broken directory servers (DSEE for example) will allow multiple structural object classes per object, though. In one of your examples it appears the person and inetOrgPerson are in the same object together, this is a different case because inetOrgPerson is a descendant of person.

Hobbledehoy answered 5/12, 2013 at 11:1 Comment(2)

Thank you for your answer, it helps me to understand more about LDAP :) OpenLDAP 2.3 seems not support these virtual attributes. Both member and isMemberOf return nothing in both kinds of searches. – Melinamelinda 5/12, 2013 at 11:33

I'm almost sure it does support one of those, it might be an overlay. Consult the OpenLDAP docs. – Hobbledehoy 5/12, 2013 at 12:5

What works

Problem

Question

Recommended topics

Hot tags