From 95d4f7c378de7903fbb8102a5b6c17d75e96c74e Mon Sep 17 00:00:00 2001 From: Mark Craig <mark.craig@forgerock.com> Date: Tue, 18 Jun 2013 15:52:37 +0000 Subject: [PATCH] CR-1872 Fix for OPENDJ-964: uniqueMember is misdescribed in static groups --- opendj3/src/main/docbkx/admin-guide/chap-groups.xml | 66 ++++++++++++++++++++++++++++++-- 1 files changed, 61 insertions(+), 5 deletions(-) diff --git a/opendj3/src/main/docbkx/admin-guide/chap-groups.xml b/opendj3/src/main/docbkx/admin-guide/chap-groups.xml index 6290434..69b6623 100644 --- a/opendj3/src/main/docbkx/admin-guide/chap-groups.xml +++ b/opendj3/src/main/docbkx/admin-guide/chap-groups.xml @@ -81,11 +81,23 @@ <literal>groupOfNames</literal> where each <literal>member</literal> attribute value is a distinguished name of an entry, or <literal>groupOfUniqueNames</literal> where each - <literal>uniqueMember</literal> attribute value is also a DN, but no - <literal>uniqueMember</literal> value is repeated. Static group entries - can also take the object class <literal>groupOfEntries</literal> that - allows groups to be created before any <literal>member</literal> - entries are specified.</para> + <literal>uniqueMember</literal> attribute value has Name and Optional UID + syntax.<footnote><para>Name and Optional UID syntax values are a DN optionally + followed by <literal>#<replaceable>BitString</replaceable></literal>. The + <replaceable>BitString</replaceable>, such as <literal>'0101111101'B</literal>, + serves to distinguish the entry from another entry having the same DN, which + can occur when the original entry was deleted and a new entry created with the + same DN.</para></footnote> Like other LDAP attributes, + <literal>member</literal> and <literal>uniqueMember</literal> attributes take + sets of unique values.</para> + + <para>Static group entries can also have the object class + <literal>groupOfEntries</literal>, which is like + <literal>groupOfNames</literal> except that it is designed to allow + groups not to have members.</para> + + <para>When creating a group entry, use <literal>groupOfNames</literal> or + <literal>groupOfEntries</literal> where possible.</para> <para>To create a static group, add a group entry such as the following to the directory.</para> @@ -139,6 +151,50 @@ member: uid=tmorris,ou=People,dc=example,dc=com member: uid=scarter,ou=People,dc=example,dc=com cn: My Static Group</screen> + + <para>RFC 4519 says a <literal>groupOfNames</literal> entry must have + at least one member. Although OpenDJ allows you to create a + <literal>groupOfNames</literal> without members, strictly speaking that + behavior is not standard. Alternatively, you can use the + <literal>groupOfEntries</literal> object class as shown in the following + example.</para> + + <screen>$ cat group-of-entries.ldif +dn: cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com +cn: Initially Empty Static Group +objectClass: groupOfEntries +objectClass: top +ou: Groups + +$ ldapmodify + --port 1389 + --bindDN "cn=Directory Manager" + --bindPassword password + --defaultAdd + --filename group-of-entries.ldif +Processing ADD request for + cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com +ADD operation successful for DN + cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com +$ cat add-members.ldif +# Now add some members to the group. +dn: cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com +changetype: modify +add: member +member: uid=ahunter,ou=People,dc=example,dc=com +member: uid=bjensen,ou=People,dc=example,dc=com +member: uid=tmorris,ou=People,dc=example,dc=com +member: uid=scarter,ou=People,dc=example,dc=com + +$ ldapmodify + --port 1389 + --bindDN "cn=Directory Manager" + --bindPassword password + --filename add-members.ldif +Processing MODIFY request for + cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com +MODIFY operation successful for DN + cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com</screen> </section> <section xml:id="dynamic-groups"> -- Gitblit v1.10.0