2

I have configured OpenLDAP with the memberOf overlay and everything works as expected for me. I can see the group memberships in the operational attributes of an object.

Now i am running into the problem, that some applications do not request operational attributes when reading the user object from the directory. Namely i am currently having issues with opnsense and keycloak which appear to not pick up on the memberOf attribute. Opensense even has a tester utility which shows all queried information, and it only shows the non-operational attributes. Other users are describing similar issues in a github issue at opensense's github repository.

My naive solution, and what i have tried to google, is: is there a setting so i can specify which attributes are returned by default? I think that the issue would be solved if memberOf would be returned by default, and not only if operational attributes are requested?

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
user666346
  • 21
  • 1
  • I don't know such an OpenLDAP setting, although I'd consider it to be useful. AFAIK keycloak querys attribute *memberOf* if correctly configured. Might depend on the version though. I did not try *OPNsense*. But my experiments with *pfSense* integration to my [Æ-DIR](https://ae-dir.com) showed some strange behaviour regarding LDAP group membership. Sorry, I forgot the details of my work-arounds. – Michael Ströder May 13 '21 at 11:06

0 Answers0