M. P. wrote:
In this case slapo-refint's own modification is internal and therefore refint_nothing applys. But it does apply when the modification comes from an external LDAP client.
Isn't there a "not" missing in the last sentence ?
Yes, should read "But it does not apply".
Thinking about the empty-groupOfNames-problem some more I consider to define a cn=dummy value to be always present in groupOfNames entries and apply val-based ACLs to make it invisible and unremovable for normal clients (even the ones maintaining the groups).
Yep, I thought about some trick like this. I thought also about the modification of the groupOfNames objectClass but this one does not have the preference of my manager :)
Yes, mucking around with standard schema descriptions is not the right way.
You could use groupOfEntries which was exactly defined for that purpose:
https://tools.ietf.org/html/draft-findlay-ldap-groupofentries
I have to find now how to add automaticcally a user to a group. ;)
Whatever "automatically" means in your context...
Ciao, Michael.