[Freeipa-devel] multi-valued cn in groups and memberOf?

Rob Crittenden rcritten at redhat.com
Wed Nov 14 20:44:26 UTC 2007


Pete Rowley wrote:
> Rob Crittenden wrote:
>> Pete.
>>
>> If we have a group with a multi-valued CN how does memberOf deal with 
>> that?
>>
>> Does it create a separate memberOf for each one? Or does it use only 
>> the "first" CN, whatever that means?
>>
>> So if I have cn=doctors,cn=quacks,cn=groups,...
>>
>> And a member: uid=spock,cn=accounts,...
>>
>> If I do a memberOf what will I get back? That spock is a member of 
>> doctors, or quacks or both?
>>
>> This has implications on doing RDN changes. If we drop a CN I need to 
>> know what to expect when it comes to group membership. The 
>> uniquemembers field will be the same, of course, but what about memberOf?
> memberof uses the dn, it doesn't care about anything else. If you drop a 
> cn that is part of the rdn then a) you have performed a mod dn op, and 
> b) the referential integrity plugin will take care of the change in  
> uniquemember and c) the memberof plugin will take care of it in memberof.
> 

Hmm. So does this mean we shouldn't allow multi-valued groups then?

I can see someone thinking they can use multiple cns as group aliases 
which won't work.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071114/72f8420b/attachment.bin>


More information about the Freeipa-devel mailing list