Apple Event: May 7th at 7 am PT

Learn more

Add to your calendar 

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: dclark_spc
dclark_spc Author
User level: Level 1
0 points

"memberOf" LDAP attribute in Open Directory?

Hi all,

I am trying to authenticate wireless clients using 802.1x against our Open Directory (Mac OS X Server 10.5.6). However, to restrict access to particular groups of users, I need to be able to check for a "memberOf" attribute or similar - but it looks like Open Directory doesn't store a user's group memberships in the user record.

Does anyone know of a way to check a user's group memberships by querying the user record?

FWIW, I'm using RHEL running FreeRADIUS to handle the authentication.

Thanks for any help!
Dave.

MacBook Pro 17" 2.5GHz, Mac OS X (10.5.7)

Posted on Jun 2, 2009 6:23 PM

Reply
6 replies
User profile for user: Mabel O'Farrell
Mabel O'Farrell
User level: Level 3
975 points

Jun 2, 2009 8:19 PM in response to dclark_spc

There is a standard LDAP attribute "memberOf" which appears to be missing in Apple's OpenLDAP implementation.


That's correct. The Apple OD LDAP schema implements 'memberOf' as 'memberUid'. The schema files can be found in /etc/openldap/schema or in the Open Directory Administration Manual, version 3. Querying the group object-class will return the 'memberUid' which will contain the username.
Reply
User profile for user: tinomen
tinomen
User level: Level 1
0 points

Jul 28, 2009 3:11 PM in response to Mabel O'Farrell

Mabel O'Farrell wrote:
There is a standard LDAP attribute "memberOf" which appears to be missing in Apple's OpenLDAP implementation.


That's correct. The Apple OD LDAP schema implements 'memberOf' as 'memberUid'. The schema files can be found in /etc/openldap/schema or in the Open Directory Administration Manual, version 3. Querying the group object-class will return the 'memberUid' which will contain the username.


member of is NOT a part of the LDAP v3 schema (standard)
http://www.openldap.org/lists/openldap-software/200204/msg00747.html

It was introduced by MS in ActiveDirectory and doesn't exist in OpenLDAP. I wish it did as I'm trying to figure out the same issue for my cisco VPN.
Reply
User profile for user: Mabel O'Farrell
Mabel O'Farrell
User level: Level 3
975 points

Jul 28, 2009 5:19 PM in response to tinomen

When you contradict someone here, please make sure that your source is more credible than a seven year old post in a mailing list aggregator. The 'memberOf' attribute is part of the current openLDAP implementation as an overlay to the base schema. In order to use it it must be specifically implemented in your LDAP database -which in OD it is not.

http://www.openldap.org/doc/admin24/overlays.html#Member%20Of%20Configuration
Reply
User profile for user: Ashley Drees
Ashley Drees
User level: Level 1
33 points

Oct 16, 2009 6:00 AM in response to dclark_spc

just for reference.. i too found this an annoyance but eventually (in php) i searched for the group for memberUid's... dropped them in an array and then searched the users for the contents of my array - was easier that working out how to load the memberof overlay.

(Wish i new more about LDAP - oh well, off to the book store... I sometimes find it hard to see that someone has offered the solution when i did not understand my problem clearly, sometimes i only realize once i have fought my way to a solution...)
Reply

"memberOf" LDAP attribute in Open Directory?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up