Setting Up Dynamic Groups
To use dynamic groups, you need to do the following:
cad1214
To use dynamic groups, you need to do the following:
- Add members to the dynamic group.You can then do one or both of the following:
- Create an application role.
- Set up dynamic directory roles.
Enable Dynamic Groups
Dynamic roles are based on the
dxMemberURL
attribute of the following object classes:- dxDynamicGroupOfNames
- dxDynamicGroupOfUniqueNames
You can add these attributes to a
groupOfNames
or groupOfUniqueNames
object class respectively so that dxMemberURL
can be included.To enable dynamic groups
- Stop the DSA.
- Add the following commands to the DSA's settings:clear dynamic-group; set dynamic-group [tag] = { objectclass = object-class url-attr = attribute member-attr = attribute };For example:set dynamic-group GROUP = { objectclass = dxDynamicGroupOfNames url-attr = dxMemberURL member-attr = member };
- Start the DSA.
- Ensure that the DIT contains a subtree in which you can store the roles entries.Using the [subtree = DN] parameter, you can also specify the dynamic-group-subtree to inspect for the specified baseObject, narrowing the search to only this sub-tree. This supports dynamic group membership search and compare requests without requiring set use-dynamic-roles = true;.For instance, the examples use the following subtree:c=AU,o=Democorp,ou=Groups
Create a Dynamic Group
Because a dynamic group is a directory entry, you can create a dynamic group without stopping the DSA.
You should create a special subtree for group entries. This helps you implement roles later.
To create a dynamic group entry
- (Optional) Create a new subtree for group entries, if none exists yet.
- Create an entry in the groups subtree with the following information:
- Object class:groupOfNames
- LDAP search filter: Include this in the attributedxMemberURL.
Add a Member to a Dynamic Group
To add a member to a dynamic group, include information in the user's entry so that the filter for that role is satisfied.
Example: Create a
manager
GroupYou have created a dynamic group that uses the following filter:
ldap://o=user,c=AU??sub?(position=manager)
To assign the manager group to a user, do the following:
- Add thepositionattribute to the user's entry.
- Add themanagervalue to the position attribute.
The next time that the
manager
group is evaluated, this user is a member of the group.View a Dynamic Group's Configuration
To view the dynamic group configuration in use in a DSA, use the following command from the DSA console:
get dynamic-groups;
This produces a list of dynamic groups in use.
Example: Output from the get dynamic-groups Command
************** GROUP ************** Group object class : dxDynamicGroupsOfNames Group Search URL : dxMemberURL Member to Append : member