I am working on the design of LDAP structure, that basically should hold users and groups. There should be support for nested groups (so I thought on using
groupOfNames object class) and for the users I will use
inetOrgPerson. There's one extra condition though - there's groups that currently will have no members.
Thus my research shows, that I may consider using
groupOfEntries as object class in my openLDAP instance. It's the same as
groupOfNames except that the member attribute is optional (was MUST). I cannot find any official documentation that states how to deal with optional membership using the standard LDAP object classes.
I found the draft paper for
groupOfEntries to IETF from 2008, but I was not able to gather any more information.
Is there an official decision if we should use this object class?
Is it present in any optional schema that could be imported into openLDAP?
My consideration is mostly "how well supported", "how secure" and "how official" is considered to use this object class? I would like to hear some opinions on the matter, also any alternatives suggested will be appreciated. Thanks for your time!