[python-ldap] Overlays and python-ldap

Christian Heimes christian at python.org
Tue Nov 17 13:18:16 EST 2020

On 16/11/2020 17.10, Éloi Rivard wrote:
> Hi.
> I would like to check what overlays are installed and enabled in a
> slapd instance (for instance ppolicy or memberof). I am not really sure
> how to achieve this, and was hopping to find some clues here.
> Also, by playing with the ObjectClass [1] class and the subschema
> module, I can find all the available attributes for a given class, say
> inetOrgPerson. Enabling the memberof module would allow a new virtual
> 'memberof' attribute. However I could not manage to get the information
> "the memberof attribute is available on that class" in a pythonic way.
> Do you have some clues? Should I open a feature request ticket?

As Ondřej already explained, supported controls are listed in the root
DSE entry. Supported controls, extensions, features, and other flags are
available for anonymous binds. The attribute names and OIDs are


>>> import ldap
>>> from ldap.controls import SimplePagedResultsControl
>>> oid = SimplePagedResultsControl.controlType.encode('ascii')
>>> oid
>>> conn = ldap.initialize("ldap://localhost")
>>> oid in conn.read_rootdse_s()['supportedControl']

Features like memberOf plugin are implementation specific. 389-DS has
its configuration in "cn=MemberOf Plugin,cn=plugins,cn=config". The
entry is only accessible by "cn=Directory Manager" user. OpenLDAP may
store the plugin configuration somewhere else.

In 389-DS the "memberOf" attribute must be defined in one or more
objectClasses of an entry. For example 389-DS defines nsMemberOf class:

( 2.16.840.1.113730.3.2.329 NAME 'nsMemberOf' DESC 'Allow memberOf
assignment on groups for nesting and users' SUP top AUXILIARY MAY
memberOf X-ORIGIN ( '389 Directory Server Project' 'user defined' ) )

Fun fact: The "ns" prefixes stands for Netscape.


More information about the python-ldap mailing list