LDAP haters guide to groups

Have you ever wondered how exactly LDAP groups work? Well, I did last week and here are my findings...

LDAP for Rocket Scientists description of LDAP groups was first one around which I can wrap my mind. However, it has small error so I will reproduce corrected version here:

# LDIF fragment to create group branch under root

dn: ou=groups,dc=example,dc=com
ou: groups
description: generic groups branch

# create the itpeople entry

dn: cn=itpeople,ou=groups,dc=example,dc=com
objectclass: groupofnames
cn: itpeople
description: IT security group
# add the group members all of which are 
# assumed to exist under people
member: cn=road runner,ou=people,dc=example,dc=com
member: cn=micky mouse,ou=people,dc=example,dc=com
Ok, so we need to make two objects in LDAP directory to create single group.
But, where did groupofnames came from?

Warning: rant ahead! I had idea that whole point of very strict schema checking in LDAP is to have single way of defining entities in directory. Did we got there? Let's see data from IBM Technote:

server person group
objectclassnameunique objectclass member attribute nameunique
Lotus Domino LDAP Directory organizationalPerson cn mail groupOfNames member cn description
Netscape Directory Server organizationalPerson cn mail groupOfUniqueNames uniquemember cn description
Microsoft Exchange 5.5 organizationalPerson cn mail groupOfNames member cn description
Microsoft Active Directory organizationalPerson userPrincipalName cn group member cn description

Right... I can clearly see why strict LDAP schema was good idea.