Re: Ldap challenge

To: Michael Ströder <michael@stroeder.com>, Andrew Findlay <andrew.findlay@skills-1st.co.uk>

Subject: Re: Ldap challenge

From: Ludovic Poitou <ludovic.poitou@gmail.com>

Date: Tue, 28 Apr 2015 09:50:01 +0200

Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:message-id:in-reply-to:references:subject :mime-version:content-type; bh=2U8LZQSWOgFCHAXrjjMT/PQfW3yB36XJ3qFrvCUQRl4=; b=u5HRB+3ZpXEPj0fCc37cih4pOlX11cSUWdB2nKxUEbPMiaJ8xuRwFbLgwt4rMxzBe+ O+EFoqdNOhV3uinJyb13I12wlUJURsooz8Lv8RQCj2VBrZlHieZHIVi9f4knxgIragQz IURF2WqFC4Y8+cxDL57qsNDeIndrvGDyWpcebdMdrDZsyKvJH/NhpwGwO4sfHkEG4GCq 7fIIMxrOHKopzB5TBW/bDnidZTnX6+GV14cYEO+2p2sTByARiZHzlwpuKJFn9Nf6/CH4 c+a47hj0KpEdKyjJnjEqXfr3RcgHUBx6hiLfbXcjWJ6fKWhObDbzXkDxZyMiHWwiG+U6 yssA==

In-reply-to: <553E9F3F.3060209@stroeder.com>

References: <1429733256070.64524@emory.edu> <20150427160737.GA4937@slab.skills-1st.co.uk> <1430159215794.83285@emory.edu> <20150427190627.GO15774@slab.skills-1st.co.uk> <553E9F3F.3060209@stroeder.com>

Interesting how this question is hitting a number of different mailing lists…

Here’s an edited extract of an email I’ve sent yesterday on OpenDJ mailing list:

The memberOf attribute name was used by Microsoft Active Directory with specific semantic. There is no LDAP representation of the attribute definition, but details, including OID, can be found here: <https://msdn.microsoft.com/en-us/library/ms677099(v=vs.85).aspx>.

It was also used by a Sun product (Delegated Administration) with another definition and semantic.

This is why we choose in Sun Directory Server, OpenDS and now OpenDJ to have a properly defined attribute with a different name: isMemberOf, operational and read-only.

My 2 cents,

Ludo

--
Ludovic Poitou
http://ludopoitou.com

From: Michael Ströder <michael@stroeder.com>
Reply: Michael Ströder <michael@stroeder.com>>
Date: 27 Apr 2015 at 22:43:41
To: Andrew Findlay <andrew.findlay@skills-1st.co.uk>>
Cc: openldap-technical@openldap.org <openldap-technical@openldap.org>>
Subject: Re: Ldap challenge

Andrew Findlay wrote:
> On Mon, Apr 27, 2015 at 06:27:39PM +0000, Ross, Daniel B. wrote:
>
>> ismemberof does not exist we have to use memberof
>
> Memberof is fairly common. I don't think I have ever found a system
> that used 'ismemberof'.

'isMemberOf' is used on Sun/Oracle DSSE, Netscape/Fedora/389-DS and OpenDS/OpenDJ.

'memberOf' was originally defined in MS Active Directory and is used as
default in slapo-memberof. It's configurable though.

Ciao, Michael.

Follow-Ups:

Re: Ldap challenge
- From: Michael Ströder <michael@stroeder.com>

References:

Ldap challenge
- From: "Ross, Daniel B." <daniel.ross@emory.edu>
Re: Ldap challenge
- From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Re: Ldap challenge
- From: "Ross, Daniel B." <daniel.ross@emory.edu>
Re: Ldap challenge
- From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Re: Ldap challenge
- From: Michael Ströder <michael@stroeder.com>