Ulrich Windl wrote:
Hi!
I had a problem with "empty groups":
You and everyone else in the world. A quick search would turn up hundreds of posts on this topic.
object class groupOfNames has a MUST
member attribute, so you cannot create an empty group. I consider this to be a bug in the object class definition, specifically as groupOfNames is structural, and not auxillary.
So in SLES empty (POSIX) groups are created with a namedObject structural class. > Unfortunately because of "structural object class modification from
'namedObject' to 'groupOfNames' not allowed", the entry has to be recreated whenever the first member is added or the last member is removed to/from a group.
While examining the problem,. I found out that the namedObject (rfc2307bis.schema) has ist "cn" attribute optional: ## namedObject is needed for groups without members objectclass ( 1.3.6.1.4.1.5322.13.1.1 NAME 'namedObject' SUP top STRUCTURAL MAY cn )
I'd consider this workaround as a bug also.
This is why we wrote a new version of rfc2307bis. http://tools.ietf.org/html/draft-howard-rfc2307bis-02
Two questions remaining:
- is there a technical reason against empty groups? I'd consider them as valid as empty arrays.
The groupOfNames definition comes from X.500. Ask the ITU what they were thinking.
- Is it an LDAP requirement to forbid structural changes in object
classes,
or is it an implementation restriction? In my experience the ID of an entry is (if not the entry's UUID) more the value of DN rather than the structural objectClass...
It is an X.500 requirement. Read the specs instead of asking what LDAP requires.
Insights?
Regards, Ulrich