# Revision history [back]

The RFC for the LDAP groupOfNames objects marks member as a required attribute...which means that it is an error to have an empty group. There are a few days of dealing with this problem:

• You can modify your local LDAP schema to allow member-less groups.
• You can use a directory server -- such as 389 -- that already has this change.
• You can enable the following in your keystone configuration:

use_dumb_member = True dumb_member = cn=dumb,dc=example,dc=com

This will create a dummy entry in groups to avoid the problem with memberless groups.

The RFC for the LDAP groupOfNames objects marks member as a required attribute...which means that it is an error to have an empty group. There are a few days of dealing with this problem:

• You can modify your local LDAP schema to allow member-less groups.
• You can use a directory server -- such as 389 -- that already has this change.
• You can enable the following in your keystone configuration:

use_dumb_member = True
dumb_member = cn=dumb,dc=example,dc=comcn=dumb,dc=example,dc=com


This will create a dummy entry in groups to avoid the problem with memberless groups.

The RFC RFC for the LDAP groupOfNames objects marks member as a required attribute...which means that it is an error to have an empty group. There are a few days of dealing with this problem:

• You can modify your local LDAP schema to allow member-less groups.
• You can use a directory server -- such as 389 -- that already has this change.
• You can enable the following in your keystone configuration:

use_dumb_member = True
dumb_member = cn=dumb,dc=example,dc=com


This will create a dummy entry in groups to avoid the problem with memberless groups.