Ulrich Windl wrote:
I had a problem with "empty groups":
You and everyone else in the world. A quick search would turn up hundreds of
posts on this topic.
object class groupOfNames has a MUST
member attribute, so you
cannot create an empty group. I consider this to be a
bug in the object class definition, specifically as groupOfNames is
structural, and not auxillary.
So in SLES empty (POSIX) groups are created with a namedObject
Unfortunately because of "structural object class modification from
'namedObject' to 'groupOfNames' not allowed", the entry has to
whenever the first member is added or the last member is removed to/from a group.
While examining the problem,. I found out that the namedObject (rfc2307bis.schema) has
ist "cn" attribute optional:
## namedObject is needed for groups without members
objectclass ( 126.96.36.199.4.1.53188.8.131.52 NAME 'namedObject' SUP top
STRUCTURAL MAY cn )
I'd consider this workaround as a bug also.
This is why we wrote a new version of rfc2307bis.
Two questions remaining:
1) is there a technical reason against empty groups? I'd consider them as valid as
The groupOfNames definition comes from X.500. Ask the ITU what they were thinking.
2) Is it an LDAP requirement to forbid structural changes in object
or is it an implementation restriction? In my experience the ID of an
(if not the entry's UUID) more the value of DN rather than the structural
It is an X.500 requirement. Read the specs instead of asking what LDAP requires.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/