Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 526141

Summary: allow empty groups
Product: [Retired] 389 Reporter: Rich Megginson <rmeggins>
Component: SchemaAssignee: Rich Megginson <rmeggins>
Status: CLOSED CURRENTRELEASE QA Contact: Viktor Ashirov <vashirov>
Severity: high Docs Contact:
Priority: high    
Version: 1.2.1CC: amsharma, nhosoi
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-07 16:30:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 519216, 639035    
Attachments:
Description Flags
patch none

Description Rich Megginson 2009-09-29 02:55:45 UTC 
Since we changed the server schema to be more correct, we are now running into the problem that the groupOfNames and other objectclasses require a member attribute to be present.  Until we sort out the general problem with the LDAP grouping schemas, we should just allow empty groups.  The easiest way to do this is to just change the objectclass to use MAY instead of MUST for the group member attribute.
Comment 1 Rich Megginson 2009-09-30 02:44:13 UTC 
Created attachment 363112 [details]
patch
Comment 2 Rich Megginson 2009-09-30 15:03:08 UTC 
To ssh://git.fedorahosted.org/git/389/ds.git
   de00631..263e072  master -> master

commit 263e072493ec249ee0176193ee8bcb1b72255720
Author: Rich Megginson <rmeggins>
Date:   Tue Sep 29 20:45:54 2009 -0600

    Reviewed by: nhosoi (Thanks!)
    Fix Description: Change groupOfNames and groupOfUniqueNames to allow empty
    groups by changing the member/uniqueMember attribute from MUST to MAY.
    Platforms tested: RHEL5 x86_64
    Flag Day: no
    Doc impact: no
Comment 3 Amita Sharma 2011-05-30 09:08:39 UTC 
[root@rheltest ~]# ldapadd -D "cn=Directory Manager" -w xxx -h localhost -p 389 << EOF
dn: cn=rhgroup3,dc=corp,dc=example,dc=com
objectClass: top
objectClass: groupofuniquenames
objectClass: ntGroup
ntGroupDeleteGroup: true
cn: rhgroup3
ntUserDomainId: rhgroup3
ntGroupType: -2147483646
ntUniqueId: 3
EOF

adding new entry "cn=rhgroup3,dc=corp,dc=example,dc=com"

This cn=rhgroup3 group is empty, tested groupofuniquenames for uniqueMember attribute is MAY.

[root@rheltest ~]# ldapadd -D "cn=Directory Manager" -w xxx -h localhost -p 389 << EOF
dn: cn=rhgroup4,dc=corp,dc=example,dc=com
objectClass: top
objectClass: groupofnames
objectClass: ntGroup
ntGroupDeleteGroup: true
cn: rhgroup3
ntUserDomainId: rhgroup3
ntGroupType: -2147483646
ntUniqueId: 3
EOF

adding new entry "cn=rhgroup4,dc=corp,dc=example,dc=com"

This cn=rhgroup4 group is empty, tested groupofnames for Member attribute is MAY.