Ooooohh In my environment (389 redhat) I found this comment in the schema definition. So in 389 is possible to create groups without any member.
Thanks, Mirko # 00core.ldif - Required Schema # # Contains standard schema from the following sources: # # - RFC 4512 # - RFC 4519 # - LDAP Subentry Internet Draft # # The DS specific "aci" attribute is also defined here so we can # set a default aci # on the schema entry. # # NOTE: There is one very important deviation from the LDAP standard: # there is a bug in the standard definition of groupOfNames and # groupOfUniqueNames - the member/uniqueMember attribute is in the MUST # list, not the MAY list, which means you cannot have an empty group. # Until the LDAP community figures out how to do grouping properly, we # have put the member/uniqueMember attribute into the MAY list, to allow # empty groups. Da: Francesco Chicchiriccò [mailto:[email protected]] Inviato: giovedì 27 giugno 2013 09:38 A: [email protected] Oggetto: Re: LDAP role provisioning and creator membership On 26/06/2013 19:22, Mirko Signoretto wrote: Hi, I tried the Syncope Roles provisioning. When Syncope creates a group in LDAP, via role provisioning, adds to the group memberships the LDAP connector user (configured for provisioning operations). Why? Is this correct? I'm using 389 redhat directory server - syncope 1.1.1 and ldap connector 1.3.5 Hi Mirko, the commonly used LDAP group object classes (groupOfNames, groupOfUniqueNames) require value for membership attribute ('member' or ' uniqueMember' respectively) to be provided upon creation. This means that you cannot create an LDAP group without providing at least one member: Syncope, for major safety, puts there an LDAP user that exists for sure, e.g. the from the LDAP connector configuration. Hope this clarifies a bit. Regards. -- Francesco Chicchiriccò ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member http://people.apache.org/~ilgrosso/
