[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: memberof in openldap

To: brad.hartlove@g2-inc.com, OpenLDAP Technical <openldap-technical@OpenLDAP.org>
Subject: Re: memberof in openldap
From: Howard Chu <hyc@symas.com>
Date: Fri, 28 Mar 2014 11:03:03 -0700
In-reply-to: <c68beedaef4a72c9d7dccf9cf9b698bc@mail.gmail.com>
References: <81dda7bca552027bec0e7dd60707c094@mail.gmail.com> <20140327191950.216f517d@pink.avci.de> <a37669d2cd6fc8db2c39c2992ea3869f@mail.gmail.com> <5334817A.90402@stroeder.com> <53359045.7040209@symas.com> <c68beedaef4a72c9d7dccf9cf9b698bc@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26a1

Brad Hartlove wrote:

I get everything you said.  I also understand that this may be a valid
permissions issue.  If the answer is "it isn't supposed to be done and the
server will prevent that", that is what I will go with.  This is not my
first dance, but if I already knew every detail of LDAP's code, I wouldn't
be on this mailing list.

There is no such thing as "LDAP's code" - LDAP is a protocol definition builton a data model. There is "OpenLDAP code" and "SunDS code" etc., various otherimplementations of the protocol and data model. It is well documented thatSun/Netscape/RedHat/Microsoft implemented the specs incorrectly.


  As I have said, I am seeing this defined in

another LDAP's objectClass, so someone figured it out right, wrong, or
indifferent.  I am not here to argue, so if that is what I go with, so be
it.
Brad Hartlove

-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Friday, March 28, 2014 11:08 AM
To: Michael Ströder; brad.hartlove@g2-inc.com;
openldap-technical@openldap.org
Subject: Re: memberof in openldap

Michael Ströder wrote:

Brad Hartlove wrote:

The core problem is why can I not add the operational attribute to my
custom objectclass.


Operational attributes are simply not normal user attributes.

If your LDAP client is supposed to alter an attribute via LDAP it has
to be a user attribute. Period.


That's only a partial answer.

Brad, the answer is "go read the LDAP spec" - operational attributes are
never part of any objectclass definition, and the server is free to use
them in any entry regardless of objectclass.

The OpenLDAP manpages are not here to teach you the basics of LDAP. You're
expected to read the specs and know the basics of LDAP.

--
    -- Howard Chu
    CTO, Symas Corp.           http://www.symas.com
    Director, Highland Sun     http://highlandsun.com/hyc/
    Chief Architect, OpenLDAP  http://www.openldap.org/project/



--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- memberof in openldap
  - From: Brad Hartlove <bradley.hartlove@g2-inc.com>
- Re: memberof in openldap
  - From: Dieter KlÃnter <dieter@dkluenter.de>
- RE: memberof in openldap
  - From: Brad Hartlove <bradley.hartlove@g2-inc.com>
- Re: memberof in openldap
  - From: Michael Ströder <michael@stroeder.com>
- Re: memberof in openldap
  - From: Howard Chu <hyc@symas.com>

Prev by Date: RE: Syncrepl Multi-Master with multiple BDB backends
Next by Date: Re: What is the default of `-b`?
Index(es):
- Chronological
- Thread