On Fri, 06 Dec 2013 09:49:45 +0100 "Ulrich Windl" <[email protected]> wrote > I had a problem with "empty groups": object class groupOfNames has a MUST > member attribute, so you cannot create an empty group. I consider this to be > a bug in the object class definition, specifically as groupOfNames is > structural, and not auxillary. So in SLES empty (POSIX) groups are created > with a namedObject structural class.
You are not alone. You could try to restart the discussion on ietf-ldapext mailing list about http://tools.ietf.org/html/draft-findlay-ldap-groupofentries See Andrew's discussion start postings: http://www.ietf.org/mail-archive/web/ldapext/current/msg01141.html http://www.ietf.org/mail-archive/web/ldapext/current/msg01256.html > 1) is there a technical reason against empty groups? I'd consider them as > valid as empty arrays. Let's go to ietf-ldapext mailing list for this discussion. > 2) Is it an LDAP requirement to forbid structural changes in object classes, Yes. LDAPv3 prohibits to change the structural object class of an entry. I suspect this comes from restrictions due to checking DIT structure rules. Ciao, Michael.
