Re: [ldapext] groupofnames vs. groupuniquenames

[Mark Wahl <Mark.Wahl@sun.com>]

Collado T Luis E wrote:
> 
> I want to know: what is the difference between the groupofnames and
> groupuniquenames objectclass?

groupOfNames has the member attribute and groupOfUniqueNames has the 
uniqueMember attribute.  This is defined in RFC 2256.

The syntax of the member attribute is just a DN.   The syntax of the 
uniqueMember attribute is a DN and an optional unique identifier.  This is
defined in RFC 2252.   The unique identifier is a bit array, I believe.

The uniqueMember comes from X.500(1993) which wanted to have a way to 
protect the group-based access control from a situation where an entry 
might be deleted and then another entry added with the same DN.  If you
want to ensure that the old group membership check does not permit the 
new entry, then you would use groupOfUniqueNames to form the group, and
have a different uniqueIdentifier value in each instance over time of an
entry.

David Chadwick's book has a chapter on X.500 access control:
http://www.isi.salford.ac.uk/staff/dwc/Version.Web/Chapter.8/Chapter8a.htm

The member attribute is generally not as widely used as uniqueMember, as 
mMany non-X.500-based implementations of LDAP servers as well as LDAP clients
tend to treat the uniqueMember attribute as being DN-valued and don't use
the optional unique identifier.

Hope this helps,

Mark Wahl
Sun Microsystems Inc.

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext