Re: Antw: [EXT] Re: memberof Overlay not showing in base search

2020-09-10 Thread Michael Ströder 
On 9/10/20 9:13 AM, Ulrich Windl wrote:
> Typically clients don't care about modifyTimeStamp (maybe even they
> are not allowed to read it),
If you run sssd as NSS/PAM demon then have a look in your logs: sssd
uses modifyTimeStamp for searching recently modified entries.

And many other clients do this too.

Anyway LDAP clients should always explicitly request the attributes they
really use to avoid unneeded data being transferred. Whether those are
user or operational attributes does not matter.

Ciao, Michael.

Re: Antw: [EXT] Re: memberof Overlay not showing in base search

2020-09-10 Thread Quanah Gibson-Mount 




--On Thursday, September 10, 2020 10:13 AM +0200 Ulrich Windl 
 wrote:



That is one aspect; the other aspect is "who _uses_ the attribute?".
Typically clients don't care about modifyTimeStamp (maybe even they are
not allowed to read it), but obviously memberOf is something the client
cares about, because it'S essential information.


There are plenty of attributes that are used by clients that are 
operational (much of ppolicy for example).  And there are many clients that 
*do* make use of things like modifyTimeStamp, to find all entries modified 
after X point in time.


In any case, if you feel memberOf should not be operational, feel free to 
argue this point with Microsoft. ;)


Regards,
Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: Antw: [EXT] Re: memberof Overlay not showing in base search

2020-09-10 Thread Ulrich Windl 
>>> Peter Gietz  schrieb am 09.09.2020 um 17:45 in
Nachricht
<936a57a3-58ec-9ccd-105d-8e1e2b274...@daasi.de>:
> To add to Quanah's right statement:
> 
> Generally operational attributes are those attributes that are managed
> by the server and not by the clients, e.g. modifyTimeStamp etc. Since
> the server manages memberOf on the fly (based on the client managed
> member attribute in group objects) it is IMO rightly marked as operational.

Hi!

That is one aspect; the other aspect is "who _uses_ the attribute?". Typically
clients don't care about modifyTimeStamp (maybe even they are not allowed to
read it), but obviously memberOf is something the client cares about, because
it'S essential information.

Regards,
Ulrich

> 
> Cheers,
> 
> Peter
> 
> 
> Am 03.09.20 um 17:16 schrieb Quanah Gibson-Mount:
>>
>>
>> --On Thursday, September 3, 2020 9:26 AM +0200 Ulrich Windl
>>  wrote:
>>
>>> I thought operational attributes are mainly for "internal management
>>> purposes". Are there any rules what makes an attribute operational?
>>
>> Depends on the attribute.  Most are defined such via RFC.  In the case
>> of memberOf, there is no RFC, so we match how Microsoft has set the
>> attribute, since they originated it.  They marked it operational.
>>
>> Regards,
>> Quanah
>>
>>
>> -- 
>>
>> Quanah Gibson-Mount
>> Product Architect
>> Symas Corporation
>> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
>> 
> 
> -- 
> 
> Peter Gietz, CEO
> 
> DAASI International GmbH
> Europaplatz 3   
> D-72072 Tübingen
> Germany
> 
> phone: +49 7071 407109-0
> fax:   +49 7071 407109-9  
> email: peter.gi...@daasi.de 
> web:   www.daasi.de 
> 
> Sitz der Gesellschaft: Tübingen
> Registergericht: Amtsgericht Stuttgart, HRB 382175
> Geschäftsleitung: Peter Gietz

Re: Antw: [EXT] Re: memberof Overlay not showing in base search

2020-09-09 Thread Peter Gietz 
To add to Quanah's right statement:

Generally operational attributes are those attributes that are managed
by the server and not by the clients, e.g. modifyTimeStamp etc. Since
the server manages memberOf on the fly (based on the client managed
member attribute in group objects) it is IMO rightly marked as operational.

Cheers,

Peter


Am 03.09.20 um 17:16 schrieb Quanah Gibson-Mount:
>
>
> --On Thursday, September 3, 2020 9:26 AM +0200 Ulrich Windl
>  wrote:
>
>> I thought operational attributes are mainly for "internal management
>> purposes". Are there any rules what makes an attribute operational?
>
> Depends on the attribute.  Most are defined such via RFC.  In the case
> of memberOf, there is no RFC, so we match how Microsoft has set the
> attribute, since they originated it.  They marked it operational.
>
> Regards,
> Quanah
>
>
> -- 
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> 

-- 

Peter Gietz, CEO

DAASI International GmbH
Europaplatz 3   
D-72072 Tübingen
Germany

phone: +49 7071 407109-0
fax:   +49 7071 407109-9  
email: peter.gi...@daasi.de
web:   www.daasi.de

Sitz der Gesellschaft: Tübingen
Registergericht: Amtsgericht Stuttgart, HRB 382175
Geschäftsleitung: Peter Gietz

Re: Antw: [EXT] Re: memberof Overlay not showing in base search

2020-09-03 Thread Quanah Gibson-Mount 




--On Thursday, September 3, 2020 9:26 AM +0200 Ulrich Windl 
 wrote:



I thought operational attributes are mainly for "internal management
purposes". Are there any rules what makes an attribute operational?


Depends on the attribute.  Most are defined such via RFC.  In the case of 
memberOf, there is no RFC, so we match how Microsoft has set the attribute, 
since they originated it.  They marked it operational.


Regards,
Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Antw: [EXT] Re: memberof Overlay not showing in base search

2020-09-03 Thread Ulrich Windl 
>>> Michal Soltys  schrieb am 02.09.2020 um 17:22 in 
>>> Nachricht
<3ab77434-434a-0d46-16b5-0917e7dc3...@yandex.pl>:
> On 9/2/20 3:26 PM, Umar Draz wrote:
>> Hi,
>> 
>> I am running OpenLDAP server on Ubuntu 18.
>> 
>> *ldapsearch -Y external -H ldapi:/// -b dc=example,dc=com memberOf*
>> 
>> # udraz, Users, example.com 
>> dn: uid=udraz,ou=Users,dc=example,dc=com
>> memberOf: cn=developers,ou=Users,dc=example,dc=com
>> 
>> Would you please help me how to solve this
>> 
> 
> memberOf is an operational attribute; you either have to specify it 
> directly or use + to return all operationals.
> 
> It's mentioned in ldapsearch manual as well.

Hi!

I thought operational attributes are mainly for "internal management purposes". 
Are there any rules what makes an attribute operational? I don't mean the 
implementation that makes them operational, but guidelines.

Regards,
Ulrich

Re: memberof Overlay not showing in base search

2020-09-02 Thread Michal Soltys 

On 9/2/20 3:26 PM, Umar Draz wrote:

Hi,

I am running OpenLDAP server on Ubuntu 18.

*ldapsearch -Y external -H ldapi:/// -b dc=example,dc=com memberOf*

# udraz, Users, example.com 
dn: uid=udraz,ou=Users,dc=example,dc=com
memberOf: cn=developers,ou=Users,dc=example,dc=com

Would you please help me how to solve this



memberOf is an operational attribute; you either have to specify it 
directly or use + to return all operationals.


It's mentioned in ldapsearch manual as well.

Re: memberof Overlay not showing in base search

2020-09-02 Thread Dieter Klünter 
Am Wed, 2 Sep 2020 18:26:52 +0500
schrieb Umar Draz :

> Hi,
> 
> I am running OpenLDAP server on Ubuntu 18.
> 
> The memberOf attribute is not showing in ldap simple search, if I do
> the following then memberOf attribute is hidden.
> 
> *ldapsearch -Y external -H ldapi:/// -b dc=example,dc=com*
> # udraz, Users, example.com 
> dn: uid=udraz,ou=Users,dc=example,dc=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> uid: udraz
> sn: Draz
> givenName: Umar
> mail: ud...@example.com
> cn: Umar Draz
> displayName: Umar Draz
> uidNumber: 5000
> gidNumber: 5000
> gecos: Umar Draz
> loginShell: /bin/bash
> homeDirectory: /home/udraz
> 
> But if I do the following then memberOf attribute appear
> 
> *ldapsearch -Y external -H ldapi:/// -b dc=example,dc=com memberOf*
> # udraz, Users, example.com
> dn: uid=udraz,ou=Users,dc=example,dc=com
> memberOf: cn=developers,ou=Users,dc=example,dc=com
> 
> Would you please help me how to solve this

The memberof attribute type is a, on the fly generated, operational
attribute.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

memberof Overlay not showing in base search

2020-09-02 Thread Umar Draz 
Hi,

I am running OpenLDAP server on Ubuntu 18.

The memberOf attribute is not showing in ldap simple search, if I do the
following then memberOf attribute is hidden.

*ldapsearch -Y external -H ldapi:/// -b dc=example,dc=com*
# udraz, Users, example.com 
dn: uid=udraz,ou=Users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: udraz
sn: Draz
givenName: Umar
mail: ud...@example.com
cn: Umar Draz
displayName: Umar Draz
uidNumber: 5000
gidNumber: 5000
gecos: Umar Draz
loginShell: /bin/bash
homeDirectory: /home/udraz

But if I do the following then memberOf attribute appear

*ldapsearch -Y external -H ldapi:/// -b dc=example,dc=com memberOf*
# udraz, Users, example.com
dn: uid=udraz,ou=Users,dc=example,dc=com
memberOf: cn=developers,ou=Users,dc=example,dc=com

Would you please help me how to solve this