Re: groupOfName

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 02:51 AM 6/5/2003, Michael Ströder wrote:
>Kurt D. Zeilenga wrote:
>>At 02:38 PM 6/4/2003, Michael Ströder wrote:
>>>Would it be a big problem or out of scope of ldapbis to change
>>>declaration of object class 'groupOfNames' so that attribute 'member'
>>>is not required ?
>>I think redesigning LDAP object class specifications is
>>beyond our scope.  (Note that such changes in object
>>class specifications generally requires assignment of
>>a new OID and new short names.  See X.501(93).)
>
>Is this change really so big?

I did not attempted to answer this portion of your question.

We are only chartered to revise the LDAP technical specification
as needed to make it suitable for publication as a Draft Standard.
LDAPBIS cannot change the specification simply because we don't
like it.

>IMO it's a security issue that you MUST specify at least one group member during group creation. Admins will tend to add dummy values leading to inconsistent group management.

Sounds like something that can be addressed by a stating a
security consideration.  If the WG were to actually conclude
that the object class was significantly flawed, our best option
would be just to remove it.  Redesigning LDAP schema is beyond
our scope of work.

Kurt