[GAP] empty groupsOfNames in OpenLDAP

Jeffrey Eaton jeaton at cmu.edu
Thu Jan 28 15:47:37 EST 2016 

We're not populating groups into GAP into our (deprecated) OpenLDAP environment, but for the legacy groups which we have in OpenLDAP, we treat member as MAY:

objectclass ( 2.5.6.9 NAME 'groupOfNames'
        DESC 'RFC2256: a group of names (DNs)'
        SUP top STRUCTURAL
        MUST ( cn )
        MAY ( member $ owner $ description ) )

If you can't change that for some reason, I'd have GAP add in an additional dummy member as you suggested.  You'll probably want to add it in both at time of creation, as well as whenever you process a fullsync message (so that the fullsync doesn't try to remove the dummy member).  Otherwise, if a group is later emptied out entirely, the last real member removal would fail.

I wonder what they were thinking when they said member is MUST.  Having an empty group seems like a perfectly legitimate thing to want to have to me.

-jeaton

> On Jan 28, 2016, at 3:34 PM, Shannon Roddy via Identity-services-gap <identity-services-gap at lists.andrew.cmu.edu> wrote:
> 
> Hi,
> 
> Is anyone using GAP in an OpenLDAP environment instead of a 389
> environment?  If so, how did you work around the object class violations
> with an empty groupOfNames?
> 
> In other words, the default OpenLDAP schema has "member" as a MUST
> attribute, so when GAP tries to create the group, it gets an object
> class violation since OpenLDAP schema enforces the RFC where member is
> MUST.   389 on the other hand has this note in their 00core.ldif schema
> file:
> 
> ################################################################################
> # NOTE: There is one very important deviation from the LDAP standard:
> # there is a bug in the standard definition of groupOfNames and
> # groupOfUniqueNames - the member/uniqueMember attribute is in the MUST
> # list, not the MAY list, which means you cannot have an empty group.
> # Until the LDAP community figures out how to do grouping properly, we
> # have put the member/uniqueMember attribute into the MAY list, to allow
> # empty groups.
> ################################################################################
> 
> So... if anyone is using GAP in an OpenLDAP environment, did you:
> 
> a) Modify the groupOfNames schema on the OpenLDAP server to change
> member from MUST to MAY?
> b) Modify GAP to create a dummy member at the time of group creation?
> 
> Thanks,
> Shannon
> _______________________________________________
> Identity-services-gap mailing list
> Identity-services-gap at lists.andrew.cmu.edu
> https://lists.andrew.cmu.edu/mailman/listinfo/identity-services-gap

More information about the Identity-services-gap mailing list