config memberOf in idpv4

Lohr, Donald lohrda at
Wed May 6 17:24:05 UTC 2020

Most LDAP products, if you look at the user's account you can see an 
attribute that contains the groups they are a member of.

Many LDAP products treat that user attribute as an operational attribute 
and not a normal attribute.  If you do an ldapsearch against a user, you 
might have to use something like the following after your "(cn=test01)" 
search filter:

"+" "*"

The "+" returns the operational attributes and the "*" returns all 
normal attributes.  Normally if you don't ask for any attributes to be 
returned, that the same as "*".

Of course, the LDAP server will only return the attributes that the -D 
(bind account) as access to see.

In my opinion, why search all of the groups for the logging in user, 
when you can search the user for their memberships - its easier, 
especially if your LDAP service does not have a common group container.


On 5/6/20 10:45 AM, leosimon wrote:
> No one has overcome this scenario?
> Please someone help
> --
> Sent from:

D o n a l d   L o h r
I n f o r m a t i o n   S y s t e m s
J a m e s   M a d i s o n   U n i v e r s i t y
5 4 0 . 5 6 8 . 3 7 3 0

More information about the users mailing list