Re: [ldapext] Schema for posixGroup successor (RFC 2307 bis)

Andrew Findlay <> Thu, 12 February 2015 12:54 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id F3A471A87C4 for <>; Thu, 12 Feb 2015 04:54:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.098
X-Spam-Level: *
X-Spam-Status: No, score=1.098 tagged_above=-999 required=5 tests=[BAYES_50=0.8, MIME_8BIT_HEADER=0.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 126vpfUcVu-5 for <>; Thu, 12 Feb 2015 04:54:39 -0800 (PST)
Received: from ( [IPv6:2001:470:1f15:20::201]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 275421A87B9 for <>; Thu, 12 Feb 2015 04:54:39 -0800 (PST)
Received: from ([2001:8b0:8d0:f7e1:c879:73e4:69f7:a15d] by with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <>) id 1YLtHw-0004Do-Nj; Thu, 12 Feb 2015 12:54:36 +0000
Received: from andrew by with local (Exim 4.83) (envelope-from <>) id 1YLtHw-0003pt-6W; Thu, 12 Feb 2015 12:54:36 +0000
Date: Thu, 12 Feb 2015 12:54:36 +0000
From: Andrew Findlay <>
To: Michael =?iso-8859-1?Q?Str=F6der?= <>
Message-ID: <>
References: <> <> <> <> <>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="J/dobhs11T7y2rNN"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: Andrew Findlay <>
Archived-At: <>
Cc: ldapext <>
Subject: Re: [ldapext] Schema for posixGroup successor (RFC 2307 bis)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 12 Feb 2015 12:54:43 -0000

On Thu, Feb 12, 2015 at 12:53:00PM +0100, Michael Ströder wrote:

> Could you please go ahead pushing draft-findlay-ldap-groupofentries?

OK. I won't have much time for this over the next month, but as a
start I attach the original draft and a summary of the discussions
surrounding it.

The draft itself is quite simple, in that it proposes a group class
that is very similar to the existing groupOfNames. The can of worms it
opened up is not so easy to fix however :-) The main issues relate to
nesting of groups: what it means, whether it should be allowed in a
given case, and how clients and servers might split the work in
dealing with potentially-nested groups. Some of the more likely
solutions to those problems would remove the 'member' attribute from
the groupOfEntries class, thus breaking your proposal...

Here is the discussion summary:
draft-findlay-ldap-groupofentries-00.txt discussion summary 2007-09-24

On September 17th I introduced an I-D to create an LDAP group class
that was capable of representing an empty group. The initial proposal
was for the smallest possible change from the existing groupOfNames

Most people who joined the discussion on were broadly
in support of allowing empty groups, though some thought that any
changes away from the status quo were doomed to fail.

Howard Chu pointed out that groupOfUniqueNames is even worse than
groupOfNames as the LDAP syntax for the nameAndOptionalUID attribute
type cannot be parsed reliably.

Kurt Zeilenga provided much detailed editorial advice, and posed a
question about how to handle groups where the DSA is unwilling or
unable to return some or all member names.

Luke Howard suggested that the behaviour of nested groups should be
defined. I was initially against an explicit definition, but was soon
persuaded that there could be significant performance and security
problems with ad-hoc nesting. At this point the discussion moved
almost entirely to the consideration of nesting issues.

Pete Rowley wanted an interface to be used by read-only clients to find
out what groups a particular entry is a member of without caring about
how the groups are defined. He suggested a memberOf attribute (presumably
server-maintained) for this purpose. Michael Liben also liked this

Simo Sorce proposed a control for server-side group expansion, and
Michael Ströder suggested that an extended operation for asking specific
membership questions would be better. Howard Chu suggested that any such
operation would need a depth limit parameter.

Steven Legg proposed directMember and nestedGroups attributes, and
Michael Ströder suggested that these might be a sufficient set to
describe nested groups. I wondered whether nested groups should be split
into those that could in turn have their own nested groups and those
that could not, but Simo Sorce thought that people would never choose
to use the more restrictive case. I was initially against dropping the
original 'member' attribute, but Steven pointed out that having a new
directMember attribute would allow people to define their own group
classes and still take advantage of defined nesting semantics.

Current situation

It seems to me that we now have these threads of development:

1)	A new structural group class that can represent empty groups.
	This could go forward with the existing ambiguous member
	attribute or it could become the basis of a group
	representation with more carefully defined semantics using

2)	A new auxiliary class and one or more attributes to represent
	groups that may contain other groups. For this to make much
	sense it would require the well-defined version of (1).
	In (1) and (2) I see the definitions of the attributes being
	the key, and would avoid requiring the use of the object
	classes to obtain the defined semantics.

3)	A new control or extended operation so that a client can ask
	the server to do the heavy lifting involved with nested

4)	A new server-maintained attribute called memberOf to give an
	alternative way for clients to ask for membership information.
	AD already has such an attribute, and Pierangelo Masarati
	recently proposed one for OpenLDAP so there may be useful
	existing work to build on.

5)	A document explaining why groupOfUniqueNames,
	uniqueMember and nameAndOptionalUID are bad, possibly leading
	to them being deprecated in the next revision of the core LDAP

I am willing to co-ordinate work on (1) and (2). Are there volunteers
to take on the others?


|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|                +44 1628 782565     |