[Freeipa-devel] multi-valued cn in groups and memberOf?
Rob Crittenden
rcritten at redhat.com
Wed Nov 14 20:44:26 UTC 2007
Pete Rowley wrote:
> Rob Crittenden wrote:
>> Pete.
>>
>> If we have a group with a multi-valued CN how does memberOf deal with
>> that?
>>
>> Does it create a separate memberOf for each one? Or does it use only
>> the "first" CN, whatever that means?
>>
>> So if I have cn=doctors,cn=quacks,cn=groups,...
>>
>> And a member: uid=spock,cn=accounts,...
>>
>> If I do a memberOf what will I get back? That spock is a member of
>> doctors, or quacks or both?
>>
>> This has implications on doing RDN changes. If we drop a CN I need to
>> know what to expect when it comes to group membership. The
>> uniquemembers field will be the same, of course, but what about memberOf?
> memberof uses the dn, it doesn't care about anything else. If you drop a
> cn that is part of the rdn then a) you have performed a mod dn op, and
> b) the referential integrity plugin will take care of the change in
> uniquemember and c) the memberof plugin will take care of it in memberof.
>
Hmm. So does this mean we shouldn't allow multi-valued groups then?
I can see someone thinking they can use multiple cns as group aliases
which won't work.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071114/72f8420b/attachment.bin>
More information about the Freeipa-devel
mailing list