grouper-dev - [grouper-dev] [ldappcng] edge use-case : deleting the last member from openldap

Subject: Grouper Developers Forum

List archive

[grouper-dev] [ldappcng] edge use-case : deleting the last member from openldap

From: Tom Zeller <>
To: Grouper Dev <>
Subject: [grouper-dev] [ldappcng] edge use-case : deleting the last member from openldap
Date: Thu, 27 Oct 2011 12:17:54 -0500

Feel like commenting on an "edge" provisioning use case ?

The OpenLDAP groupOfNames schema must contain the member attribute.
Consequently, if a group has no members, the member attribute must be
provisioned with a configured empty value, usually an empty string,
"".

When processing member deletions via the change log, the ldappcng
consumer will need to either :

(a) attempt to delete the member from the group, if the ldap
modification fails, parse the error and retry with the empty value

(b) before deleting the member from the group, perform a search to
count the number of members to determine if the empty value is
necessary

(c) cache every provisioned object so that we know when to supply the
empty value

Any other options ?

For (a), the error returned from OpenLDAP looks like "LDAP: error code
65 - object class 'groupOfNames' requires attribute 'member'".

I think that (b) introduces lots of unnecessary searches.

I think I might prefer (c), caching, by which I mean cache every
provisioned object in memory, so that ldappcng knows when to supply
the empty value.

For now, shall we just go with (a) ?

Thanks,
TomZ

[grouper-dev] [ldappcng] edge use-case : deleting the last member from openldap, Tom Zeller, 10/27/2011
- RE: [grouper-dev] [ldappcng] edge use-case : deleting the last member from openldap, Chris Hyzer, 10/27/2011
  - RE: [grouper-dev] [ldappcng] edge use-case : deleting the last member from openldap, Jim Fox, 10/27/2011

List archive

[grouper-dev] [ldappcng] edge use-case : deleting the last member from openldap