Question
Suppose I have inetOrgPersons in ou=people,dc=example,dc=com. Example:
https://stackoverflow.com/questions/20397852
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russiandn: cn=John Doe,ou=people,dc=example,dc=com
objectClass: inetOrgPerson (structural)
objectClass: person (structural)
objectClass: top (abstract)
cn: John Doe
sn: Doe
givenName: John
mail: john.doe@example.com
uid: john.doe
In addition I have several organizations:
dn: o=foo,dc=example,dc=com
objectClass: organization (structural)
objectClass:top (abstract)
o: foo
dn: o=bar,dc=example,dc=com
objectClass: organization (structural)
objectClass:top (abstract)
o: bar
For each organization there is a groupOfNames:
dn: cn=users,o=foo,dc=example,dc=com
objectClass:groupOfNames (structural)
cn: users
member: cn=John Doe,ou=people,dc=example,dc=com
dn: cn=users,o=bar,dc=example,dc=com
objectClass:groupOfNames (structural)
cn: users
As you can see, cn=John Doe,ou=people,dc=example,dc=com is listed as a member of cn=users,o=foo,dc=example,dc=com but not of dn: cn=users,o=bar,dc=example,dc=com.
I want to note membership at the inetOrgPersons, too.
memberOf is not in the schemas I currently use for a user. Is there any schema available that provides memberOf?
member is part of groupOfNames but this objectClass conflicts with inetOrgPerson:
[LDAP: error code 65 - invalid structural object class chain (inetOrgPerson/groupOfNames)]
How can I note the membership in cn=users,o=foo,dc=example,dc=com on cn=John Doe,ou=people,dc=example,dc=com?
Solution
If you're using OpenLDAP you need to use the 'memberof' overlay, which maintains a real 'memberOf' attribute among the operational attributes.
Note that it won't affect memberships that already exist, only new ones from when you first load the overlay. See the OpenLDAP documentation.
OTHER TIPS
Depending on the server in use, memberOf might be a virtual attribute and would not be listed in the entry, but rather is generated by the server. Some other servers use isMemberOf instead of memberOf. memberOf or isMemberOf would be generated upon request by server.
One could search:
ldapsearch -h hostname -p port \
-b dc=example,dc=com -s sub \
'(memberOf=cn=users,o=foo,dc=example,dc=com)'
or
ldapsearch -h hostname -p port \
-b dc=example,dc=com -s sub \
'(isMemberOf=cn=users,o=foo,dc=example,dc=com)'
to get the distinguished names that are members of cn=users,o=foo,dc=example,dc=com.
To get the groups of which a known distinguished name is a member:
ldapsearch -h hostname -p port \
-b dc=example,dc=com -s sub \
'(cn=Joe User)' isMemberOf
or
ldapsearch -h hostname -p port \
-b dc=example,dc=com -s sub \
'(cn=Joe User)' memberOf
The object class violation occurs because groupofNames and inetOrgPerson are both structural object classes. Only one structural object class is permitted per object. Some broken directory servers (DSEE for example) will allow multiple structural object classes per object, though. In one of your examples it appears the person and inetOrgPerson are in the same object together, this is a different case because inetOrgPerson is a descendant of person.
