RSS feed

Why use uniqueMember instead of member?

[Date Prev][Date Next] [Thread Prev][Thread Next]

Why use uniqueMember instead of member?

Hi folks,

it seems that both nss-pam-ldapd as well as Padl's nss_ldap use the
"uniqueMember" attribute for specifying group members as dn's. However,
AFAIU, "uniqueMember" contains a dn, optionally followed by an "#" and
an extra identifier [1] to disambiguate [2] [3] the dn (in case a dn is
reused over time, but not all references are removed).

[1]: (section 3.3.21)

I suspect that this extra identifier is supposed to reference the
x500UniqueIdentifier attribute [4], but I haven't found anything
definitive about this.


Anyway, if I read the sources right, neither nss-pam-ldapd nor nss_ldap
actually implement this uniqueMember correctly. nss-pam-ldap just
interprets it as a plain dn, while nss_ldap strips of the extra
identifer after the #, but otherwise ignores it.

If the extra identifier is not used, why is uniqueMember used in the
first place? Why not just use "member" [5], which is defined to just
contain a dn?



To unsubscribe send an email to or see