Brad Hartlove wrote: > I have been trying to include the memberOf attribute in a new objectClass. > If I just set it to "MAY" (for example), it complains about using an > operational attribute in my definition. I have seen quite a few Q&As about > this, but I am really trying to understand where this issue is > originating. Maybe I haven't looked at the right one yet. OpenDJ has > the ability to utilize it in custom classes, so I was hoping to be able to > also do the same in OpenLDAP. Thoughts? I think there's a lot of confusion about this attribute: 1. 'memberOf' appeared first in MS AD where it's a simple back-link to group entries the entry is *direct* member of. In AD's schema it's not marked as operational attribute like all other operational attributes in AD. ;-) 2. OpenLDAP's slapo-memberof implements exactly the same behaviour like MS AD but the attribute type description correctly marks it with dSAOperation. 3. SunDS, OpenDJ, 389-DS implement the same semantics but IIRC they use the attribute 'isMemberOf'. 4. FreeIPA is abusing attribute 'memberOf' - with same OID like in MS AD (yuck!) - as normal user attribute to describe (server) group membership. For various reasons this sucks but anyway... => I'd recommend to define your own custom attribute with clear semantics and not re-use 'memberOf' in your custom object class. Or is there any reason why you insist to step into this trap? Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature