[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Creating empty groupOfUniqueNames..

And I'm glad to now know that the distinguishedName syntax allows an empty value. I had assumed (always a bad idea) that the syntax required a DN. I need to update our custom schema documentation.

----- Original Message ----- From: "Howard Chu" <hyc@symas.com>
To: <fuser9bb@hotpop.com>
Cc: <openldap-software@OpenLDAP.org>
Sent: Tuesday, December 14, 2004 1:42 AM
Subject: Re: Creating empty groupOfUniqueNames..

fuser9bb@hotpop.com wrote:

I want to create a set of groups that will be used for authorization purposes. To me, it seems that a groupOfNames or groupOfUniqueNames will best serve this purpose. (Better suggestions?) However, both object classes require at least one member attribute. There will be times though when a member is not known. How do you handle this?

Right now I create all groups with an invalid member attribute:

member: cn=invalid,dc=..,dc=..

Does this break any convention? Is there a better way to handle this?

There's nothing wrong with what you suggest. I would ignore groupOfUniqueNames, it's rather useless in the LDAP context. Note that it is legal for distinguishedName syntax to have a zero-length value. I would just use groupOfNames with a zero-length member, which is fundamentally the same idea as your using an invalid DN.

 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support