Re: [ldapext] empty-groupOfNames-issue

Andrew Findlay <> Fri, 04 December 2015 15:28 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id ED7971A87CD for <>; Fri, 4 Dec 2015 07:28:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.602
X-Spam-Status: No, score=-1.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id q7p3r0QAQRsq for <>; Fri, 4 Dec 2015 07:28:51 -0800 (PST)
Received: from ( [IPv6:2001:470:1f15:20::201]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B8D6E1A87CE for <>; Fri, 4 Dec 2015 07:25:14 -0800 (PST)
Received: from ([2001:8b0:8d0:f7e1::94] by with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <>) id 1a4sER-0006Be-5K; Fri, 04 Dec 2015 15:25:11 +0000
Received: from andrew by with local (Exim 4.85) (envelope-from <>) id 1a4sEQ-0002YD-Jz; Fri, 04 Dec 2015 15:25:10 +0000
Date: Fri, 04 Dec 2015 15:25:10 +0000
From: Andrew Findlay <>
To: Michael Ströder <>
Message-ID: <>
References: <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: Andrew Findlay <>
Archived-At: <>
Cc: ldapext <>
Subject: Re: [ldapext] empty-groupOfNames-issue
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 04 Dec 2015 15:28:53 -0000

On Fri, Dec 04, 2015 at 03:11:22PM +0100, Michael Ströder wrote:

> Do you think that a complete replacement RFC _obsoleting_ RFC 4519 would be
> needed?  If the ldapext community would agree on changing the standard wouldn't
> a small RFC _updating_ RFC 4519 also be sufficient?

That may be possible, but I don't know enough about the conventions to
be sure.

> Please let us keep the scope limited to the empty-groupOfNames-issue.  I'm not
> keen on opening the can-of-worms on semantics of nested groups.

Indeed. That needs tackling in due course, but it is a much bigger problem.

> >>
> >>
> >> + Very simple
> >> + Fully compliant to standardization best practices
> >>
> >> - It's not clear whether it was widely adopted in deployments.
> > 
> > Maybe not in the exact form I described in that I-D, but functionally
> > equivalent objectclasses have been in most of my customers' systems.
> > It could be argued that the corrupted form of groupOfNames described
> > above is actually proof of widespread deployment of an analogous class.
> Hmm, the wording gets a bit blurry here.
> How would you explain the clear distinction between 1. and 2.?

There are exacly 2 differences between groupOfNames and groupOfEntries:

1)	the member attribute is mandatory in groupOfNames but
	optional in groupOfEntries

2)	the name and OID are different

In practical terms, groupOfEntries is better because it allows for
empty groups. The benefits are:

a)	Empty groups are reasonable things to have: the need for a group
	does not disappear just because there are no current members.

b)	Forcing groups to always contain at least one entry causes
	management systems to do silly things like adding an entry for
	a non-existent member or even making the group recursively a
	member of itself. These workarounds for the broken definition
	can cause security problems as well as just being awkward.
	There is no defined convention for doing this, so identifying
	the dummy member can be difficult. If several management systems
	can modify the same entry it is possible that it will accumulate
	several dummy members.

Changing the existing groupOfNames to make member an optional attribute
does not solve the problem:

p)	Existing management systems will continue to add dummy members
	but new ones will not know what to do about such values.

q)	New management systems will have to check the schema definition
	to find out whether member is mandatory or not.

In effect, groupOfNames has been corrupted and is no longer a portable

On the other hand, the corrupt version of groupOfNames does serve as
a proof that groupOfEntries is desired by the community because it is
functionally identical.

|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|                +44 1628 782565     |