Why use uniqueMember instead of member?

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Matthijs Kooijman <matthijs [at] stdin.nl>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Why use uniqueMember instead of member?
Date: Fri, 1 Apr 2011 13:37:57 +0200

Hi folks,

it seems that both nss-pam-ldapd as well as Padl's nss_ldap use the
"uniqueMember" attribute for specifying group members as dn's. However,
AFAIU, "uniqueMember" contains a dn, optionally followed by an "#" and
an extra identifier [1] to disambiguate [2] [3] the dn (in case a dn is
reused over time, but not all references are removed).

[1]: http://www.ietf.org/rfc/rfc4517.txt (section 3.3.21)
[2]: http://tools.ietf.org/html/rfc4519#section-2.40
[3]: http://www.openldap.org/lists/openldap-general/199910/msg00026.html

I suspect that this extra identifier is supposed to reference the
x500UniqueIdentifier attribute [4], but I haven't found anything
definitive about this.

[4]: http://tools.ietf.org/html/rfc4519#section-2.43


Anyway, if I read the sources right, neither nss-pam-ldapd nor nss_ldap
actually implement this uniqueMember correctly. nss-pam-ldap just
interprets it as a plain dn, while nss_ldap strips of the extra
identifer after the #, but otherwise ignores it.

If the extra identifier is not used, why is uniqueMember used in the
first place? Why not just use "member" [5], which is defined to just
contain a dn?

[5]: http://tools.ietf.org/html/rfc4519#section-2.17


Gr.

Matthijs

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users

Why use uniqueMember instead of member?, Matthijs Kooijman

Re: Why use uniqueMember instead of member?, Arthur de Jong

Prev by Date: Re: nss-pam-ldapd patches for Solaris 10
Next by Date: Re: Why use uniqueMember instead of member?
Previous by thread: Re: nss-pam-ldapd patches for Solaris 10
Next by thread: Re: Why use uniqueMember instead of member?