Since we changed the server schema to be more correct, we are now running into the problem that the groupOfNames and other objectclasses require a member attribute to be present. Until we sort out the general problem with the LDAP grouping schemas, we should just allow empty groups. The easiest way to do this is to just change the objectclass to use MAY instead of MUST for the group member attribute.
Created attachment 363112 [details] patch
To ssh://git.fedorahosted.org/git/389/ds.git de00631..263e072 master -> master commit 263e072493ec249ee0176193ee8bcb1b72255720 Author: Rich Megginson <rmeggins> Date: Tue Sep 29 20:45:54 2009 -0600 Reviewed by: nhosoi (Thanks!) Fix Description: Change groupOfNames and groupOfUniqueNames to allow empty groups by changing the member/uniqueMember attribute from MUST to MAY. Platforms tested: RHEL5 x86_64 Flag Day: no Doc impact: no
[root@rheltest ~]# ldapadd -D "cn=Directory Manager" -w xxx -h localhost -p 389 << EOF dn: cn=rhgroup3,dc=corp,dc=example,dc=com objectClass: top objectClass: groupofuniquenames objectClass: ntGroup ntGroupDeleteGroup: true cn: rhgroup3 ntUserDomainId: rhgroup3 ntGroupType: -2147483646 ntUniqueId: 3 EOF adding new entry "cn=rhgroup3,dc=corp,dc=example,dc=com" This cn=rhgroup3 group is empty, tested groupofuniquenames for uniqueMember attribute is MAY. [root@rheltest ~]# ldapadd -D "cn=Directory Manager" -w xxx -h localhost -p 389 << EOF dn: cn=rhgroup4,dc=corp,dc=example,dc=com objectClass: top objectClass: groupofnames objectClass: ntGroup ntGroupDeleteGroup: true cn: rhgroup3 ntUserDomainId: rhgroup3 ntGroupType: -2147483646 ntUniqueId: 3 EOF adding new entry "cn=rhgroup4,dc=corp,dc=example,dc=com" This cn=rhgroup4 group is empty, tested groupofnames for Member attribute is MAY.