Re: Creating empty groupOfUniqueNames..

[<fuser9bb@hotpop.com>]

And I'm glad to now know that the distinguishedName syntax allows an empty 
value. I had assumed (always a bad idea) that the syntax required a DN. I 
need to update our custom schema documentation.

----- Original Message ----- 
From: "Howard Chu" <hyc@symas.com>
To: <fuser9bb@hotpop.com>
Cc: <openldap-software@OpenLDAP.org>
Sent: Tuesday, December 14, 2004 1:42 AM
Subject: Re: Creating empty groupOfUniqueNames..


> fuser9bb@hotpop.com wrote:
>
> > I want to create a set of groups that will be used for authorization 
> > purposes. To me, it seems that a groupOfNames or groupOfUniqueNames will 
> > best serve this purpose. (Better suggestions?) However, both object 
> > classes require at least one member attribute. There will be times though 
> > when a member is not known. How do you handle this?
> >
> > Right now I create all groups with an invalid member attribute:
> >
> > member: cn=invalid,dc=..,dc=..
> >
> > Does this break any convention? Is there a better way to handle this?
>
> There's nothing wrong with what you suggest. I would ignore 
> groupOfUniqueNames, it's rather useless in the LDAP context. Note that it 
> is legal for distinguishedName syntax to have a zero-length value. I would 
> just use groupOfNames with a zero-length member, which is fundamentally 
> the same idea as your using an invalid DN.
>
> --
>  -- Howard Chu
>  Chief Architect, Symas Corp.       Director, Highland Sun
>  http://www.symas.com               http://highlandsun.com/hyc
>  Symas: Premier OpenSource Development and Support