adding a group without members on create

[Justen Stepka <js...@jstepka.name>]

The addGroup functionality in Crowd does not currently correctly
implement an approach to add a user to ApacheDS. The issue here is
that according the RFC-2256 the groupOfUniqueNames Object Class
requires that the uniquemember field cannot be left blank (ie it is a
required field).

Currently our code is trying to get around this by adding a blank
string into this field, but ApacheDS even with this approach does not
allow this.

Currently I do not have a solution beyond providing some kind of user
picker on the add group page, so a person can choose a member to add
to this group. However, we still need to take into account adding
groups via our SOAP interface and also via the importers.

http://jira.atlassian.com/browse/CWD-318

I am wondering if there is a way that we can create a group with
Apache DS and not have to provide any initial members so the group? If
I put in an empty string I then need to know to ignore the empty
uniquemember when processing the attributes on a search.

Cheers,

Justen

-- 
Justen Stepka
http://www.jstepka.name/blog/

Re: adding a group without members on create

[Justen Stepka <js...@jstepka.name>]

On 5/15/07, Stefan Zoerner <st...@labeo.de> wrote:
> Justen Stepka wrote:
> > I am wondering if there is a way that we can create a group with
> > Apache DS and not have to provide any initial members so the group? If
> > I put in an empty string I then need to know to ignore the empty
> > uniquemember when processing the attributes on a search.
>
> Hi Justen!
>
> As far as I know, you have to provide a value for uniqueMember which is
> has valid DN syntax ("" or " " have not). But it is not necessary to
> fill it with a valid user.
>
> How about adding a dummy value to the group like "cn=dummy". This is
> what we did in a project with IBM Tivoli Directory Server, a server
> which behaves exactly the same RFC compliant way in this case, btw.
>

Sounds about right. We ended up using a fix that ignores our "" dummy
value on insert when loading the group.

Thanks again,

Justen

-- 
Justen Stepka
http://www.jstepka.name/blog/

Re: adding a group without members on create

[Stefan Zoerner <st...@labeo.de>]

Justen Stepka wrote:
> I am wondering if there is a way that we can create a group with
> Apache DS and not have to provide any initial members so the group? If
> I put in an empty string I then need to know to ignore the empty
> uniquemember when processing the attributes on a search.

Hi Justen!

As far as I know, you have to provide a value for uniqueMember which is 
has valid DN syntax ("" or " " have not). But it is not necessary to 
fill it with a valid user.

How about adding a dummy value to the group like "cn=dummy". This is 
what we did in a project with IBM Tivoli Directory Server, a server 
which behaves exactly the same RFC compliant way in this case, btw.

Greetings from Bremen,
     Stefan

Re: adding a group without members on create

[Alex Karasulu <ak...@apache.org>]

Justen you might by default just add the admin user to the
groupOfUniqueNames
when creating it.  This user is always present and can be deleted later once
another
user is added to the group.  The DN for this user is:

uid=admin,ou=system

HTH,
Alex

On 5/14/07, Justen Stepka <js...@jstepka.name> wrote:
>
> The addGroup functionality in Crowd does not currently correctly
> implement an approach to add a user to ApacheDS. The issue here is
> that according the RFC-2256 the groupOfUniqueNames Object Class
> requires that the uniquemember field cannot be left blank (ie it is a
> required field).
>
> Currently our code is trying to get around this by adding a blank
> string into this field, but ApacheDS even with this approach does not
> allow this.
>
> Currently I do not have a solution beyond providing some kind of user
> picker on the add group page, so a person can choose a member to add
> to this group. However, we still need to take into account adding
> groups via our SOAP interface and also via the importers.
>
> http://jira.atlassian.com/browse/CWD-318
>
> I am wondering if there is a way that we can create a group with
> Apache DS and not have to provide any initial members so the group? If
> I put in an empty string I then need to know to ignore the empty
> uniquemember when processing the attributes on a search.
>
> Cheers,
>
> Justen
>
> --
> Justen Stepka
> http://www.jstepka.name/blog/
>

Re: adding a group without members on create

[Ersin Er <er...@gmail.com>]

And, I do not think that this is a problem related to ApacheDS. If
other servers allow this then it means they are breaking the RFC. So
you may just tell people that they could change the ApacheDS schema as
a workaround.

On 5/15/07, Ersin Er <er...@gmail.com> wrote:
> Why not just try to change the schema? Change the attribute to be
> optional instead of required. BTW, it's very easy to do schema
> manipulations with ApacheDS 1.5.
>
> On 5/15/07, Justen Stepka <js...@jstepka.name> wrote:
> > The addGroup functionality in Crowd does not currently correctly
> > implement an approach to add a user to ApacheDS. The issue here is
> > that according the RFC-2256 the groupOfUniqueNames Object Class
> > requires that the uniquemember field cannot be left blank (ie it is a
> > required field).
> >
> > Currently our code is trying to get around this by adding a blank
> > string into this field, but ApacheDS even with this approach does not
> > allow this.
> >
> > Currently I do not have a solution beyond providing some kind of user
> > picker on the add group page, so a person can choose a member to add
> > to this group. However, we still need to take into account adding
> > groups via our SOAP interface and also via the importers.
> >
> > http://jira.atlassian.com/browse/CWD-318
> >
> > I am wondering if there is a way that we can create a group with
> > Apache DS and not have to provide any initial members so the group? If
> > I put in an empty string I then need to know to ignore the empty
> > uniquemember when processing the attributes on a search.
> >
> > Cheers,
> >
> > Justen
> >
> > --
> > Justen Stepka
> > http://www.jstepka.name/blog/
> >
>
>
> --
> Ersin
>


-- 
Ersin

Re: adding a group without members on create

[Ersin Er <er...@gmail.com>]

On 5/15/07, Stefan Zoerner <st...@labeo.de> wrote:
> Alex Karasulu wrote:
> > Although reported as a ApacheDS specific issue this may just be due to
> > lack of information about the behavior of other LDAP servers.  I'm sure
> > other LDAP servers behave in the same manner when schema checking
> > is enabled.  Hence I think it is incorrect to presume this is ADS specific.
> >
> > Alex
>
> You are totally right Alex.
>
> Two examples:
> IBM Tivoli Directory Server behaves like ApacheDS (uniqueMember is a
> MUST attribute in groupOfUniqueNames, as stated in the RFC), Sun Java
> System Directory Server does not (uniqueMember is a MAY).

Oh, I was just about to give the SunDS example. So yes, this is a FAQ
and some servers prefer it to be MAY. But of course we prefer the
schema compatible one. And cn=dummy does not hurt really.

> I therefore assume that Atlassian has simply not tested Crowd with all
> relevant servers. Nice to see that ApacheDS is part of their integration
> tests.
>
> Greetings from Bremen,
>      Stefan
>
>


-- 
Ersin

Re: adding a group without members on create

[Stefan Zoerner <st...@labeo.de>]

Alex Karasulu wrote:
> Although reported as a ApacheDS specific issue this may just be due to
> lack of information about the behavior of other LDAP servers.  I'm sure
> other LDAP servers behave in the same manner when schema checking
> is enabled.  Hence I think it is incorrect to presume this is ADS specific.
> 
> Alex

You are totally right Alex.

Two examples:
IBM Tivoli Directory Server behaves like ApacheDS (uniqueMember is a 
MUST attribute in groupOfUniqueNames, as stated in the RFC), Sun Java 
System Directory Server does not (uniqueMember is a MAY).

I therefore assume that Atlassian has simply not tested Crowd with all 
relevant servers. Nice to see that ApacheDS is part of their integration 
tests.

Greetings from Bremen,
     Stefan

Re: adding a group without members on create

[Alex Karasulu <ak...@apache.org>]

:) heh yeah I know you're a strictly spec guy that's why I was surprised.

Although reported as a ApacheDS specific issue this may just be due to
lack of information about the behavior of other LDAP servers.  I'm sure
other LDAP servers behave in the same manner when schema checking
is enabled.  Hence I think it is incorrect to presume this is ADS specific.

Alex

On 5/15/07, Ersin Er <er...@gmail.com> wrote:
>
> On 5/15/07, Alex Karasulu <ak...@apache.org> wrote:
> > Ersin,
> >
> > I do not think this is a good idea.  This will violate the expected
> behavior
> > associated with this objectClass.
>
> Yes, but as this is reported as an issue specific to ApacheDS by
> Atlassian, that means this issues does not exist in other servers (or
> in some of them). So that's why I suggested. Otherwise I do never
> suggest schema violations in fact. I am a strict spec guy :-)
>
> > The best approach is probably what
> > Stefan recommended with a dummy user or to just use the admin user
> > as the initial member.
> >
> > BTW this is what we do in Triplesec when creating various groups: use
> the
> > admin user DN as the initial user for a new group.
> >
> > Alex
> >
> > On 5/15/07, Ersin Er <er...@gmail.com> wrote:
> > >
> > > Why not just try to change the schema? Change the attribute to be
> > > optional instead of required. BTW, it's very easy to do schema
> > > manipulations with ApacheDS 1.5.
> > >
> > > On 5/15/07, Justen Stepka <js...@jstepka.name> wrote:
> > > > The addGroup functionality in Crowd does not currently correctly
> > > > implement an approach to add a user to ApacheDS. The issue here is
> > > > that according the RFC-2256 the groupOfUniqueNames Object Class
> > > > requires that the uniquemember field cannot be left blank (ie it is
> a
> > > > required field).
> > > >
> > > > Currently our code is trying to get around this by adding a blank
> > > > string into this field, but ApacheDS even with this approach does
> not
> > > > allow this.
> > > >
> > > > Currently I do not have a solution beyond providing some kind of
> user
> > > > picker on the add group page, so a person can choose a member to add
> > > > to this group. However, we still need to take into account adding
> > > > groups via our SOAP interface and also via the importers.
> > > >
> > > > http://jira.atlassian.com/browse/CWD-318
> > > >
> > > > I am wondering if there is a way that we can create a group with
> > > > Apache DS and not have to provide any initial members so the group?
> If
> > > > I put in an empty string I then need to know to ignore the empty
> > > > uniquemember when processing the attributes on a search.
> > > >
> > > > Cheers,
> > > >
> > > > Justen
> > > >
> > > > --
> > > > Justen Stepka
> > > > http://www.jstepka.name/blog/
> > > >
> > >
> > >
> > > --
> > > Ersin
> > >
> >
>
>
> --
> Ersin
>

Re: adding a group without members on create

[Ersin Er <er...@gmail.com>]

On 5/15/07, Alex Karasulu <ak...@apache.org> wrote:
> Ersin,
>
> I do not think this is a good idea.  This will violate the expected behavior
> associated with this objectClass.

Yes, but as this is reported as an issue specific to ApacheDS by
Atlassian, that means this issues does not exist in other servers (or
in some of them). So that's why I suggested. Otherwise I do never
suggest schema violations in fact. I am a strict spec guy :-)

> The best approach is probably what
> Stefan recommended with a dummy user or to just use the admin user
> as the initial member.
>
> BTW this is what we do in Triplesec when creating various groups: use the
> admin user DN as the initial user for a new group.
>
> Alex
>
> On 5/15/07, Ersin Er <er...@gmail.com> wrote:
> >
> > Why not just try to change the schema? Change the attribute to be
> > optional instead of required. BTW, it's very easy to do schema
> > manipulations with ApacheDS 1.5.
> >
> > On 5/15/07, Justen Stepka <js...@jstepka.name> wrote:
> > > The addGroup functionality in Crowd does not currently correctly
> > > implement an approach to add a user to ApacheDS. The issue here is
> > > that according the RFC-2256 the groupOfUniqueNames Object Class
> > > requires that the uniquemember field cannot be left blank (ie it is a
> > > required field).
> > >
> > > Currently our code is trying to get around this by adding a blank
> > > string into this field, but ApacheDS even with this approach does not
> > > allow this.
> > >
> > > Currently I do not have a solution beyond providing some kind of user
> > > picker on the add group page, so a person can choose a member to add
> > > to this group. However, we still need to take into account adding
> > > groups via our SOAP interface and also via the importers.
> > >
> > > http://jira.atlassian.com/browse/CWD-318
> > >
> > > I am wondering if there is a way that we can create a group with
> > > Apache DS and not have to provide any initial members so the group? If
> > > I put in an empty string I then need to know to ignore the empty
> > > uniquemember when processing the attributes on a search.
> > >
> > > Cheers,
> > >
> > > Justen
> > >
> > > --
> > > Justen Stepka
> > > http://www.jstepka.name/blog/
> > >
> >
> >
> > --
> > Ersin
> >
>


-- 
Ersin

Re: adding a group without members on create

[Alex Karasulu <ak...@apache.org>]

Ersin,

I do not think this is a good idea.  This will violate the expected behavior

associated with this objectClass.  The best approach is probably what
Stefan recommended with a dummy user or to just use the admin user
as the initial member.

BTW this is what we do in Triplesec when creating various groups: use the
admin user DN as the initial user for a new group.

Alex

On 5/15/07, Ersin Er <er...@gmail.com> wrote:
>
> Why not just try to change the schema? Change the attribute to be
> optional instead of required. BTW, it's very easy to do schema
> manipulations with ApacheDS 1.5.
>
> On 5/15/07, Justen Stepka <js...@jstepka.name> wrote:
> > The addGroup functionality in Crowd does not currently correctly
> > implement an approach to add a user to ApacheDS. The issue here is
> > that according the RFC-2256 the groupOfUniqueNames Object Class
> > requires that the uniquemember field cannot be left blank (ie it is a
> > required field).
> >
> > Currently our code is trying to get around this by adding a blank
> > string into this field, but ApacheDS even with this approach does not
> > allow this.
> >
> > Currently I do not have a solution beyond providing some kind of user
> > picker on the add group page, so a person can choose a member to add
> > to this group. However, we still need to take into account adding
> > groups via our SOAP interface and also via the importers.
> >
> > http://jira.atlassian.com/browse/CWD-318
> >
> > I am wondering if there is a way that we can create a group with
> > Apache DS and not have to provide any initial members so the group? If
> > I put in an empty string I then need to know to ignore the empty
> > uniquemember when processing the attributes on a search.
> >
> > Cheers,
> >
> > Justen
> >
> > --
> > Justen Stepka
> > http://www.jstepka.name/blog/
> >
>
>
> --
> Ersin
>

Re: adding a group without members on create

[Ersin Er <er...@gmail.com>]

Why not just try to change the schema? Change the attribute to be
optional instead of required. BTW, it's very easy to do schema
manipulations with ApacheDS 1.5.

On 5/15/07, Justen Stepka <js...@jstepka.name> wrote:
> The addGroup functionality in Crowd does not currently correctly
> implement an approach to add a user to ApacheDS. The issue here is
> that according the RFC-2256 the groupOfUniqueNames Object Class
> requires that the uniquemember field cannot be left blank (ie it is a
> required field).
>
> Currently our code is trying to get around this by adding a blank
> string into this field, but ApacheDS even with this approach does not
> allow this.
>
> Currently I do not have a solution beyond providing some kind of user
> picker on the add group page, so a person can choose a member to add
> to this group. However, we still need to take into account adding
> groups via our SOAP interface and also via the importers.
>
> http://jira.atlassian.com/browse/CWD-318
>
> I am wondering if there is a way that we can create a group with
> Apache DS and not have to provide any initial members so the group? If
> I put in an empty string I then need to know to ignore the empty
> uniquemember when processing the attributes on a search.
>
> Cheers,
>
> Justen
>
> --
> Justen Stepka
> http://www.jstepka.name/blog/
>


-- 
Ersin