Setting Up Dynamic Groups

To use dynamic groups, follow these steps:
cad126
To use dynamic groups, follow these steps:
  1.  Add members to the dynamic group.
    You can then do one or both of the following actions:
    • Create an application role.
    • Set up dynamic directory roles.
Enable Dynamic Groups
Dynamic roles are based on the 
dxMemberURL
 attribute of the following object classes:
  • dxDynamicGroupOfNames
  • dxDynamicGroupOfUniqueNames
You can add these attributes to a 
groupOfNames
 or 
groupOfUniqueNames
 object class respectively so that 
dxMemberURL
 can be included. The dxserver supports not more than 16334 characters for dxMemberUrl attribute. 
 A common misconception is that 
groupOfUniqueNames
 is chosen over 
groupOfNames
 to ensure that member values are unique. Both 
groupOfNames
 and 
groupOfUniqueNames
 object classes ensure that the member values are unique. For 
groupOfUniqueNames
, the 
uniqueMember
 attribute defines a different syntax, 
nameAndOptionalUID
. This support is included to assist customers in moving from an existing X.500 deployment to CA Directory. In this scenario, two entries can exist in the directory information tree with the same DN but these entries are differentiated with a unique identifier. For pure LDAP deployments where the UID part of the 
nameAndOptionalUID
 syntax is not used, use 
groupOfNames/member
 as this functionally is the same.
 
Follow these steps:
 
  1. Stop the DSA.
  2. Add the following commands to the DSA settings:
    clear dynamic-group; set dynamic-group [tag] = { subtree = DN object-class = objectClass url-attr = attribute member-attr = attribute };
    For example:
    clear dynamic-group; # to allow command to be reloaded on dxserver init set dynamic-group GROUP = { subtree = <c AU><o Democorp><ou Groups> objectclass = dxDynamicGroupOfNames url-attr = dxMemberURL member-attr = member };
  3. Start the DSA.
  4. Ensure that the DIT contains a subtree in which you can store the group entries.
     Using the [subtree = DN] parameter, you can also specify the dynamic-group subtree to inspect for the baseObject of each request that is received by the DSA. By using this parameter, you can narrow the search to only this subtree. This parameter supports dynamic group membership search and compare requests without requiring the 
    set use-dynamic-roles = true; 
    command.
    ou=Groups,o=Democorp,c=AU
Create a Dynamic Group
As a dynamic group is a directory entry, you can create a dynamic group without stopping the DSA.
Create a special subtree for group entries. This step helps you implement access controls and roles later.
 
Follow these steps:
 
  1. (Optional) If a subtree does not exist, create a subtree for group entries.
  2. Create an entry in the groups subtree with the following information:
    • Object class: 
      groupOfNames
      dxDynamicGroupOfNames
       
    • LDAP search filter: Include this filter in the 
      dxMemberURL 
      attribute.
 
Example: Create A Dynamic Group Entry For 
Managers
 
 
Create a dynamic group subtree and a dynamic group entry for users in a Manager role.
dn: ou=Groups,o=Democorp,c=AU
objectClass: organizationalUnit
dn: cn=Managers,ou=Groups,o=Democorp,c=AU
objectClass: groupOfNames # structural objectClass that contains member
objectClass: dxDynamicGroupOfNames # auxiliary objectClass that contains dxMemberURL
dxMemberURL: ldap://ou=Users,o=Democorp,c=AU??sub?(position=Manager)
Add a Member to a Dynamic Group
To add a member to a dynamic group, include information in the user's entry so that the filter for that role is satisfied.
 
Example: Add A User 
Craig Link
 To The M
anagers
 Group
 
You have created a dynamic group that uses the following filter:
ldap://ou=Users,o=Democorp,c=AU??sub?(position=Manager)
To assign the manager group to a user, use the following steps:
  1. Add the 
    position 
    attribute to the entry for a user.
  2. Add the M
    anager
     value to the position attribute.
The next time that the M
anager
 group is evaluated, this user will be a member of the group.
dn: cn=Craig Link,ou=Users,o=Democorp,c=AU
objectClass: inetOrgPerson
surname: Link
position: Manager
Exclude a Member from a Dynamic Group
You can manually prevent the member attribute in a dynamic group from being populated. Sometimes, the member attribute of a dynamic group is populated with unwanted values. This underlying data causes an entry to match the dynamic group LDAP URL, which cannot be changed. These values can be manually excluded using the 
dxExcludeMember
 attribute of dynamic groups.
 
Example: Exclude The User
 Joe Bloggs
 From The 
Administrators
 Group
 
Consider a user that is an administrator outside of directory (title=Administrator). This attribute also has directory roles for which the user should not have administrator privileges.
If we have the following dynamic group:
dn: cn=Administrators,ou=Groups,o=Democorp,c=AU
objectClass: groupOfNames
objectClass: dxDynamicGroupOfNames
dxMemberURL: ldap:///ou=Users,o=Democorp,c=AU??sub?(title=Administrator)
The group has the following user that satisfies the 
dxMemberURL
:
dn: cn=Joe Bloggs,ou=Users,o=Democorp,c=AU
objectClass: inetOrgPerson
surname: Bloggs
title: Administrator
You can exclude the user from the dynamic group, but can retain the title attribute value by making the following change to the dynamic group:
dn: cn=administrators,ou=Groups,o=Democorp,c=AU
objectClass: groupOfNames
objectClass: dxDynamicGroupOfNames
dxMemberURL: ldap:///ou=Users,o=Democorp,c=AU??sub?(title=Administrator)
dxExcludeMember: cn=Joe Bloggs,ou=Users,o=Democorp,c=AU
Excluding a member from a dynamic group membership impacts the following operations involving a dynamic group:
  •  
    Membership Lookups:
     If you exclude a member, searching the dynamic group subtree with 
    filter containing member=<DN>
     will not return any results.
  •  
    Role Lookups: 
    If the member is explicitly excluded, loading roles when a user binds to a DSA is affected. The roles the member is excluded from are no longer loaded. (requires 
    set use-dynamic-roles = true;
  •  
    Dynamic group expansion:
     Returning a dynamic group using a base-object-only search that returns all attributes does not include the excluded member in the member attributes value list.
  • A limitation exists when returning a dynamic group using a base-object-only search. If a return attribute list is specified, then the list must contain at least objectClass, 
    dxMemberURL
     and also 
    dxExcludeMember
     for the member attribute to be correctly populated.
  • If you use 
    dxDynamicGroupOfUniqueNames
    , then configure the dynamic group to use the 
    dxExcludeUniqueMember
     attribute.
  • If you add a large number of values (> 100) to 
    dxExcludeMember
    , then you might need to rework the dynamic group entry configuration. This feature is meant for the exceptions, not the rule.
  • For hybrid groups (containing both static and dynamic members), a static member is excluded if used with 
    dxExcludeMember
    . Ideally, the static member value should be explicitly removed.
  • For static groups, 
    dxExcludeMember
     is not used. If the static member value is no longer required, it can simply be removed.
View Configuration of a Dynamic Group
To view the dynamic group configuration in use in a DSA, use the following command from the DSA console:
get dynamic-groups;
This command produces a list of dynamic groups in use.
 
Example: Output from the get dynamic-groups Command
 
************** GROUP ************** Group object class : dxDynamicGroupsOfNames Group Search URL : dxMemberURL Member to Append : member Member to Exclude : dxExcludeMember