Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

The RFC for the LDAP groupOfNames objects marks member as a required attribute...which means that it is an error to have an empty group. There are a few days of dealing with this problem:

  • You can modify your local LDAP schema to allow member-less groups.
  • You can use a directory server -- such as 389 -- that already has this change.
  • You can enable the following in your keystone configuration:

    use_dumb_member = True dumb_member = cn=dumb,dc=example,dc=com

    This will create a dummy entry in groups to avoid the problem with memberless groups.

The RFC for the LDAP groupOfNames objects marks member as a required attribute...which means that it is an error to have an empty group. There are a few days of dealing with this problem:

  • You can modify your local LDAP schema to allow member-less groups.
  • You can use a directory server -- such as 389 -- that already has this change.
  • You can enable the following in your keystone configuration:

    use_dumb_member = True
     dumb_member = cn=dumb,dc=example,dc=com

    cn=dumb,dc=example,dc=com

    This will create a dummy entry in groups to avoid the problem with memberless groups.

The RFC RFC for the LDAP groupOfNames objects marks member as a required attribute...which means that it is an error to have an empty group. There are a few days of dealing with this problem:

  • You can modify your local LDAP schema to allow member-less groups.
  • You can use a directory server -- such as 389 -- that already has this change.
  • You can enable the following in your keystone configuration:

    use_dumb_member = True
    dumb_member = cn=dumb,dc=example,dc=com
    

    This will create a dummy entry in groups to avoid the problem with memberless groups.