Ldap – GroupOfNames without members


I am building a new LDAP structure. I'd like to separate the LDIF-scripts for the creation of my structure from the scripts for the creation of my users. The structure will have to be applied on multiple servers (DTAP) but the users will only be used in unit-tests/development.

But when I create my group, Apache DS (only for development) tells me member is a required attribute of groupOfNames.

ERR_279 Required attributes [member(] not found within entry cn=USER_ROLE, ou=groups, dc=company, dc=com ]

More concrete; what I am looking to accomplish is the following LDIF.

### Create the group
dn: cn=USER_ROLE, ou=groups, dc=company, dc=com 
objectClass: groupOfNames 
objectClass:  top 
# Not adding a member here

### Create the user
dn: uid=myUser, ou=accounts, dc=company, dc=com
objectClass: inetOrgPerson
objectClass: top
# More properties

### Add user to group
dn: cn=USER_ROLE, ou=groups, dc=company, dc=com 
changetype: modify
add: member
member: uid=myUser, ou=accounts, dc=company, dc=com

I've tried adding an empty member: to the initial creation of the group. Which works, but leaves an empty member and does not look like a clean solution.

Best Answer

groupOfNames objects MUST have a cn attribute and a member attribute (see rfc2256 or look at your schema definition).

I'll be interested to hear from others but as far as I can tell your options are one of these:

  • Browse your schema to see if any other group-type objects exist that don't have a member attribute under the 'MUST' qualifier, and use it instead of groupOfNames

  • Use your existing workaround

  • See if someone has defined a different group object that better suits your needs and add it to your schema

(Or these, but don't do these)

  • Define your own custom group object and add it to your schema

  • Redefine the groupOfNames objectclass in your schema and move member from MUST to MAY. If you have a warranty, this will break it.