[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: groupOfName

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: groupOfName
From: Michael Ströder <michael@stroeder.com>
Date: Thu, 05 Jun 2003 11:51:21 +0200
Cc: ietf-ldapbis@OpenLDAP.org
In-reply-to: <5.2.0.9.0.20030604174241.02998d60@127.0.0.1>
References: <1395B4B334FCC143B36AF788E68B63811E3F7C@ausyms21.ca.com> <1395B4B334FCC143B36AF788E68B63811E3F7C@ausyms21.ca.com> <5.2.0.9.0.20030604174241.02998d60@127.0.0.1>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3.1) Gecko/20030425

Kurt D. Zeilenga wrote:

At 02:38 PM 6/4/2003, Michael Ströder wrote:

Would it be a big problem or out of scope of ldapbis to change
declaration of object class 'groupOfNames' so that attribute 'member'
is not required ?


I think redesigning LDAP object class specifications is
beyond our scope.  (Note that such changes in object
class specifications generally requires assignment of
a new OID and new short names.  See X.501(93).)

Is this change really so big? Do you see any incompabilities with existing implementations?

IMO it's a security issue that you MUST specify at least one group member during group creation. Admins will tend to add dummy values leading to inconsistent group management.

Ciao, Michael.

Follow-Ups:
- Re: groupOfName
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- Re: groupOfName (was: IETF ldapbis WG Last Call: draft-ietf-ldapbis-user-schema-05.txt)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: groupOfName (was: IETF ldapbis WG Last Call: draft-ietf-ldapbis-user-schema-05.txt)
Next by Date: Values of matchingRules Attribute
Index(es):
- Chronological
- Thread