[GAP] empty groupsOfNames in OpenLDAP
Shannon Roddy
sbr15 at psu.edu
Thu Jan 28 15:34:18 EST 2016
Hi,
Is anyone using GAP in an OpenLDAP environment instead of a 389
environment? If so, how did you work around the object class violations
with an empty groupOfNames?
In other words, the default OpenLDAP schema has "member" as a MUST
attribute, so when GAP tries to create the group, it gets an object
class violation since OpenLDAP schema enforces the RFC where member is
MUST. 389 on the other hand has this note in their 00core.ldif schema
file:
################################################################################
# NOTE: There is one very important deviation from the LDAP standard:
# there is a bug in the standard definition of groupOfNames and
# groupOfUniqueNames - the member/uniqueMember attribute is in the MUST
# list, not the MAY list, which means you cannot have an empty group.
# Until the LDAP community figures out how to do grouping properly, we
# have put the member/uniqueMember attribute into the MAY list, to allow
# empty groups.
################################################################################
So... if anyone is using GAP in an OpenLDAP environment, did you:
a) Modify the groupOfNames schema on the OpenLDAP server to change
member from MUST to MAY?
b) Modify GAP to create a dummy member at the time of group creation?
Thanks,
Shannon
More information about the Identity-services-gap
mailing list