2

I have configured OpenLDAP with the memberOf overlay and everything works as expected for me. I can see the group memberships in the operational attributes of an object.

Now i am running into the problem, that some applications do not request operational attributes when reading the user object from the directory. Namely i am currently having issues with opnsense and keycloak which appear to not pick up on the memberOf attribute. Opensense even has a tester utility which shows all queried information, and it only shows the non-operational attributes. Other users are describing similar issues in a github issue at opensense's github repository.

My naive solution, and what i have tried to google, is: is there a setting so i can specify which attributes are returned by default? I think that the issue would be solved if memberOf would be returned by default, and not only if operational attributes are requested?

Improve this question
1
  • I don't know such an OpenLDAP setting, although I'd consider it to be useful. AFAIK keycloak querys attribute memberOf if correctly configured. Might depend on the version though. I did not try OPNsense. But my experiments with pfSense integration to my Æ-DIR showed some strange behaviour regarding LDAP group membership. Sorry, I forgot the details of my work-arounds.
    – Michael Ströder
    May 13, 2021 at 11:06

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .