[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: memberOf

> Hello,
> I'm very new to [Open]LDAP (openldap-2.2.26-ubuntu2) and I'm trying to
> make it work with a simple Java application.
> I use the following schemas:
> include        	/etc/ldap/schema/core.schema
> include        	/etc/ldap/schema/cosine.schema
> include        	/etc/ldap/schema/nis.schema
> include        	/etc/ldap/schema/inetorgperson.schema
> include        	/etc/ldap/schema/java.schema
> and I'm populating it with this:
> # Define top-level entry
> dn: dc=localdomain
> objectClass: dcObject
> dc: localdomain
> # Define an entry to contain people
> dn: ou=people,dc=localdomain
> objectClass: organizationalUnit
> ou: people
> # Define a user entry for Pavel
> dn: uid=pavel,ou=people,dc=localdomain
> objectClass: inetOrgPerson
> uid: pavel
> sn: J
> cn: Pavel J
> mail: my@email.com
> userPassword: secret
> # Define an entry to contain LDAP groups
> dn: ou=groups,dc=localdomain
> objectClass: organizationalUnit
> ou: groups
> # Define an entry for the "users" group
> dn: cn=users,ou=groups,dc=localdomain
> objectClass: groupOfNames
> cn: users
> member: uid=pavel,ou=people,dc=localdomain
> # Define an entry for the "role1" group
> dn: cn=role1,ou=groups,dc=localdomain
> objectClass: groupOfNames
> cn: role1
> member: uid=pavel,ou=people,dc=localdomain
> But when I try to get attributes of uid=pavel,ou=people,dc=localdomain
> through simple Java program or LDAP Browser
> (http://www-unix.mcs.anl.gov/~gawor/ldap/)
> or using:
> ldapsearch -x -D 'cn=Manager, dc=localdomain' -W -b 'ou=people,
> dc=localdomain' uid=pavel
> I never get the 'memberOf' attribute[s] back.
> Am I missing something in the configuration? Or is something wrong with
> the way I'm querying?

"memberOf" is not part of any standard track schema definition, so it is
unlikely that OpenLDAP's slapd can handle it.  Moreover, as you're not
popupating the directory with values for the memberOf attribute, it is
very unlikely that you can find occurrences of it in the data.  The
directory acts according to the garbage-in garbage-out principle, only it
doesn't accept all types of garbage, it requires garbage to comply with

If you expect OpenLDAP slapd to implement some automatic update of
back-links to group membership you're on the wrong trail.  Applications
(in this case, those clients that feed the directory) are supposed to
maintain them.

There has been in the past some activity to implement that in an overlay,
so that it is the DSA itself, or rather an embedded client, that maintains
that type of consistency; that project hung on the lack of some design
issues and on the lack of atomicity in multiple write operations that
characterized slapd at that time.  I guess LDAP transactions under
development for HEAD should solve those isues.  You may try to implement
your own, or I could try and revitalize that project in my spare time
(which might be never based on my current availability of spare time...).


Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it