Re: Q: empty groups (groupOfNames, member)

[Howard Chu <hyc@symas.com>]

Ulrich Windl wrote:
> Hi!
>
> I had a problem with "empty groups":

You and everyone else in the world. A quick search would turn up hundreds of 
posts on this topic.

> object class groupOfNames has a MUST
member attribute, so you cannot create an empty group. I consider this to be a
bug in the object class definition, specifically as groupOfNames is
structural, and not auxillary.
> So in SLES empty (POSIX) groups are created with a namedObject structural
> class. >
> Unfortunately because of "structural object class modification from
'namedObject' to 'groupOfNames' not allowed", the entry has to be recreated
whenever the first member is added or the last member is removed to/from a group.
> While examining the problem,. I found out that the namedObject (rfc2307bis.schema) has ist "cn" attribute optional:
> ## namedObject is needed for groups without members
> objectclass ( 1.3.6.1.4.1.5322.13.1.1 NAME 'namedObject' SUP top
>         STRUCTURAL MAY cn )
>
> I'd consider this workaround as a bug also.

This is why we wrote a new version of rfc2307bis.
http://tools.ietf.org/html/draft-howard-rfc2307bis-02
> Two questions remaining:
>
> 1) is there a technical reason against empty groups? I'd consider them as valid as empty arrays.

The groupOfNames definition comes from X.500. Ask the ITU what they were thinking.

> 2) Is it an LDAP requirement to forbid structural changes in object
> classes,
or is it an implementation restriction? In my experience the ID of an entry is
(if not the entry's UUID) more the value of DN rather than the structural
objectClass...

It is an X.500 requirement. Read the specs instead of asking what LDAP requires.

> Insights?
>
> Regards,
> Ulrich


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/