Christian Kratzer writes:
On Wed, 25 Dec 2013, Howard Chu wrote:
Was going to reply but Michael beat me to it. Reiterating all the points Michael made. There is no good reason to use memberUid or uniqueMember in LDAP, both of these schema elements are deeply flawed.
thanks to both of you of bringing this up once more.
I was always intending to ask what the original use case for groupOfUniqueNames actually was as I totally fail to see the point in the uniqueMember attributes.
I don't see a rationale in X.520, but RFCs 4517 and 4519 say the bitstring can be used to differentiate objects with identical or reused DNs. Different versions of someone's certificate, maybe?
Except that doesn't work for uniqueMember in X.500: If you search for (DN, bitstring), it matches an object with the DN and no bitstring - but not vice versa. Nobody in the X.500 community remembered why when we asked, so in the LDAP standard we made the matching rule commutative.
Thus LDAP's uniqueMember probably doesn't even work right for its original purpose, which nobody quite remembers anyway, but at least it's no longer an implemnetation headache in the server.