DSEE and ismemberof

A nice feature in the latest enterprise series of directories from Sun/Oracle (after Sun Directory 5.2) is the system attribute “isMemberOf”, that the directory will generate for any entry queried to list what groups that entry is part of.

This is the equivalent to Active Directory’s “memberOf” attribute (there is also a “memberOf” plugin for 389/Red Hat Directory). The main difference is that while memberOf on AD is a normal visible user attribute, isMemberOf on DSEE is a system attribute and so needs to be requested explicitly on a search for its value(s) to be returned. It is also multi-valued, and so should be treated as an array for programming purposes.

The values returned will be the distinguished name (dn) values of each group the entry is a member of. Like:

[me@myhost ~]$ ldapsearch -x -LLL -h myhost -D "cn=directory manager" 
-W -b "dc=example,dc=com" -s sub "uid=me" ismemberof
Enter LDAP Password:
dn: uid=me,ou=people,dc=example,dc=com
ismemberof: cn=Administrators,dc=example,dc=com
ismemberof: cn=Staff,ou=Groups,dc=example,dc=com
ismemberof: cn=Webmasters,ou=Groups,dc=example,dc=com

Here’s some perl code using standard Net::LDAP methods to enumerate all the values in a target’s ismemberof (which has been specified in the list of attributes requested from the server):

my @ismemberof = $entry->get_value('ismemberof');
 
foreach my $group(@ismemberof) {
    print "Member of: ", ""$group"", "n";
}

(the group dn values are put in quotes by convention, they’re not necessary: but having them there may prevent confusion if your output is transferred to a spreadsheet because of “all them commas”)