[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: groupOf [Unique] Names - which to use?

To: Stuart Lynne <sl@fireplug.net>
Subject: Re: groupOf [Unique] Names - which to use?
From: mcs@netscape.com (Mark C Smith)
Date: Mon, 11 Oct 1999 15:09:03 -0400
Cc: Graeme Joyce <openldap-list@jade.co.nz>, OpenLdapGeneral <openldap-general@OpenLDAP.org>
Organization: Netscape Communications
References: <000501bf10ff$9008bd60$8881608f@cnw.co.nz> <19991007141201.51640@fireplug.net>

The 'groupOfNames' and 'groupOfUniquenames' object classes are both
defined by the X.500 standard.  The former holds 'member' values that
point to the group members and the latter uses an attribute type called
'uniquemember' for the same purpose.  The difference between a 'member'
and a 'uniquemember' is that 'member' values are simply DNs but
'uniquemember' values consist of a DN optionally followed by a unique
identifier.  The unique identifier can be used to avoid referential
integrity problems when a DN is reused (something you should avoid for
some period of time if you can anyway).  Most of the Netscape (now
iPlanet) products use groupOfUniquenames for simple groups, although we
don't make extensive use of the unique identifier feature right now. 
See RFC 2256 for the formal definition of these object classes:
http://www.ietf.org/rfc/rfc2256.txt

-- 
Mark Smith
iPlanet Directory Architect / Sun-Netscape Alliance
My words are my own, not my employer's.   Got LDAP?

Stuart Lynne wrote:
> 
> On Fri, Oct 08, 1999 at 09:07:20AM +1300, Graeme Joyce wrote:
> > I remember reading somewhere that groupOfUniqueNames is a Netscape defined
> > objectClass. I see the standard OpenLdap schema only includes groupOfNames.
> >
> > What is the problem that required the groupOfUniqueNames objectClass to be
> > defined?
> >
> > In what situations should a group have objectClass=groupOfUniqueNames rather
> > than groupOfNames (or both..)?
> 
> If you are using the netscape schema you might prefer it.
> 
> > We're starting to define groups for access control so I'd like to get this
> > right.
> 
> If you are using openldap server you can specify the group objectclass and
> attribute using the following syntax:
> 
>         group/objectClassValue/groupAttrName
> 
> So:
>         group="cn=SysAdmin,l=$2"
> 
> is the equivalent of:
> 
>         group="cn=SysAdmin,l=$2/groupOfNames/member"
> 
> and you may prefer:
> 
>         group="cn=SysAdmin,l=$2/groupOfUniqueNames/uniqueMember"
> 
> If someone from netscape is reading the list maybe the can enlighten us on
> what the implied semantic differences are between the two types of groups
> are.
> 
> --
> Stuart Lynne <sl@fireplug.net>                __O
> <http://edge.fireplug.net>                  _-\<,_               604-461-7532
> PGP Fingerprint: 28 E2 A0 15 99 62 9A 00   (_)/ (_)   88 EC A3 EE 2D 1C 15 68

References:
- groupOf [Unique] Names - which to use?
  - From: "Graeme Joyce" <openldap-list@jade.co.nz>
- Re: groupOf [Unique] Names - which to use?
  - From: Stuart Lynne <sl@fireplug.net>

Prev by Date: Re: Netscape & people object
Next by Date: Re: Netscape & people object
Index(es):
- Chronological
- Thread