Hi!
I had a problem with "empty groups": object class groupOfNames has a MUST member attribute, so you cannot create an empty group. I consider this to be a bug in the object class definition, specifically as groupOfNames is structural, and not auxillary. So in SLES empty (POSIX) groups are created with a namedObject structural class.
Unfortunately because of "structural object class modification from 'namedObject' to 'groupOfNames' not allowed", the entry has to be recreated whenever the first member is added or the last member is removed to/from a group.
While examining the problem,. I found out that the namedObject (rfc2307bis.schema) has ist "cn" attribute optional: ## namedObject is needed for groups without members objectclass ( 1.3.6.1.4.1.5322.13.1.1 NAME 'namedObject' SUP top STRUCTURAL MAY cn )
I'd consider this workaround as a bug also.
Two questions remaining:
1) is there a technical reason against empty groups? I'd consider them as valid as empty arrays.
2) Is it an LDAP requirement to forbid structural changes in object classes, or is it an implementation restriction? In my experience the ID of an entry is (if not the entry's UUID) more the value of DN rather than the structural objectClass...
Insights?
Regards, Ulrich