On Fri, 06 Dec 2013 09:49:45 +0100 "Ulrich Windl" Ulrich.Windl@rz.uni-regensburg.de wrote
I had a problem with "empty groups": object class groupOfNames has a MUST member attribute, so you cannot create an empty group. I consider this to be a bug in the object class definition, specifically as groupOfNames is structural, and not auxillary. So in SLES empty (POSIX) groups are created with a namedObject structural class.
You are not alone. You could try to restart the discussion on ietf-ldapext mailing list about
http://tools.ietf.org/html/draft-findlay-ldap-groupofentries
See Andrew's discussion start postings:
http://www.ietf.org/mail-archive/web/ldapext/current/msg01141.html
http://www.ietf.org/mail-archive/web/ldapext/current/msg01256.html
- is there a technical reason against empty groups? I'd consider them as
valid as empty arrays.
Let's go to ietf-ldapext mailing list for this discussion.
- Is it an LDAP requirement to forbid structural changes in object classes,
Yes. LDAPv3 prohibits to change the structural object class of an entry. I suspect this comes from restrictions due to checking DIT structure rules.
Ciao, Michael.