Setting Up Dynamic Groups
To use dynamic groups, follow these steps:
cad126
To use dynamic groups, follow these steps:
- Add members to the dynamic group.You can then do one or both of the following actions:
- Create an application role.
- Set up dynamic directory roles.
You can also exclude a member from a dynamic group.
Enable Dynamic Groups
Dynamic roles are based on the
dxMemberURL
attribute of the following object classes:- dxDynamicGroupOfNames
- dxDynamicGroupOfUniqueNames
You can add these attributes to a
groupOfNames
or groupOfUniqueNames
object class respectively so that dxMemberURL
can be included. The dxserver supports not more than 16334 characters for dxMemberUrl attribute. A common misconception is that
groupOfUniqueNames
is chosen over groupOfNames
to ensure that member values are unique. Both groupOfNames
and groupOfUniqueNames
object classes ensure that the member values are unique. For groupOfUniqueNames
, the uniqueMember
attribute defines a different syntax, nameAndOptionalUID
. This support is included to assist customers in moving from an existing X.500 deployment to CA Directory. In this scenario, two entries can exist in the directory information tree with the same DN but these entries are differentiated with a unique identifier. For pure LDAP deployments where the UID part of the nameAndOptionalUID
syntax is not used, use groupOfNames/member
as this functionally is the same.Follow these steps:
- Stop the DSA.
- Add the following commands to the DSA settings:clear dynamic-group; set dynamic-group [tag] = { subtree = DN object-class = objectClass url-attr = attribute member-attr = attribute };For example:clear dynamic-group; # to allow command to be reloaded on dxserver init set dynamic-group GROUP = { subtree = <c AU><o Democorp><ou Groups> objectclass = dxDynamicGroupOfNames url-attr = dxMemberURL member-attr = member };
- Start the DSA.
- Ensure that the DIT contains a subtree in which you can store the group entries.Using the [subtree = DN] parameter, you can also specify the dynamic-group subtree to inspect for the baseObject of each request that is received by the DSA. By using this parameter, you can narrow the search to only this subtree. This parameter supports dynamic group membership search and compare requests without requiring theset use-dynamic-roles = true;command.For instance, the examples use the following subtree:ou=Groups,o=Democorp,c=AU
Create a Dynamic Group
As a dynamic group is a directory entry, you can create a dynamic group without stopping the DSA.
Create a special subtree for group entries. This step helps you implement access controls and roles later.
Follow these steps:
- (Optional) If a subtree does not exist, create a subtree for group entries.
- Create an entry in the groups subtree with the following information:
- Object class:groupOfNames,dxDynamicGroupOfNames
- LDAP search filter: Include this filter in thedxMemberURLattribute.
Example: Create A Dynamic Group Entry For
Managers
Create a dynamic group subtree and a dynamic group entry for users in a Manager role.
dn: ou=Groups,o=Democorp,c=AUobjectClass: organizationalUnitdn: cn=Managers,ou=Groups,o=Democorp,c=AUobjectClass: groupOfNames # structural objectClass that contains memberobjectClass: dxDynamicGroupOfNames # auxiliary objectClass that contains dxMemberURLdxMemberURL: ldap://ou=Users,o=Democorp,c=AU??sub?(position=Manager)
Add a Member to a Dynamic Group
To add a member to a dynamic group, include information in the user's entry so that the filter for that role is satisfied.
Example: Add A User
Craig Link
To The Managers
GroupYou have created a dynamic group that uses the following filter:
ldap://ou=Users,o=Democorp,c=AU??sub?(position=Manager)
To assign the manager group to a user, use the following steps:
- Add thepositionattribute to the entry for a user.
- Add the Managervalue to the position attribute.
The next time that the M
anager
group is evaluated, this user will be a member of the group.dn: cn=Craig Link,ou=Users,o=Democorp,c=AUobjectClass: inetOrgPersonsurname: Linkposition: Manager
Exclude a Member from a Dynamic Group
You can manually prevent the member attribute in a dynamic group from being populated. Sometimes, the member attribute of a dynamic group is populated with unwanted values. This underlying data causes an entry to match the dynamic group LDAP URL, which cannot be changed. These values can be manually excluded using the
dxExcludeMember
attribute of dynamic groups.Example: Exclude The User
Joe Bloggs
From The Administrators
GroupConsider a user that is an administrator outside of directory (title=Administrator). This attribute also has directory roles for which the user should not have administrator privileges.
If we have the following dynamic group:
dn: cn=Administrators,ou=Groups,o=Democorp,c=AUobjectClass: groupOfNamesobjectClass: dxDynamicGroupOfNamesdxMemberURL: ldap:///ou=Users,o=Democorp,c=AU??sub?(title=Administrator)
The group has the following user that satisfies the
dxMemberURL
:dn: cn=Joe Bloggs,ou=Users,o=Democorp,c=AUobjectClass: inetOrgPersonsurname: Bloggstitle: Administrator
You can exclude the user from the dynamic group, but can retain the title attribute value by making the following change to the dynamic group:
dn: cn=administrators,ou=Groups,o=Democorp,c=AUobjectClass: groupOfNamesobjectClass: dxDynamicGroupOfNamesdxMemberURL: ldap:///ou=Users,o=Democorp,c=AU??sub?(title=Administrator)dxExcludeMember: cn=Joe Bloggs,ou=Users,o=Democorp,c=AU
Excluding a member from a dynamic group membership impacts the following operations involving a dynamic group:
- Membership Lookups:If you exclude a member, searching the dynamic group subtree withfilter containing member=<DN>will not return any results.
- Role Lookups:If the member is explicitly excluded, loading roles when a user binds to a DSA is affected. The roles the member is excluded from are no longer loaded. (requiresset use-dynamic-roles = true;)
- Dynamic group expansion:Returning a dynamic group using a base-object-only search that returns all attributes does not include the excluded member in the member attributes value list.
- A limitation exists when returning a dynamic group using a base-object-only search. If a return attribute list is specified, then the list must contain at least objectClass,dxMemberURLand alsodxExcludeMemberfor the member attribute to be correctly populated.
- If you usedxDynamicGroupOfUniqueNames, then configure the dynamic group to use thedxExcludeUniqueMemberattribute.
- If you add a large number of values (> 100) todxExcludeMember, then you might need to rework the dynamic group entry configuration. This feature is meant for the exceptions, not the rule.
- For hybrid groups (containing both static and dynamic members), a static member is excluded if used withdxExcludeMember. Ideally, the static member value should be explicitly removed.
- For static groups,dxExcludeMemberis not used. If the static member value is no longer required, it can simply be removed.
View Configuration of a Dynamic Group
To view the dynamic group configuration in use in a DSA, use the following command from the DSA console:
get dynamic-groups;
This command produces a list of dynamic groups in use.
Example: Output from the get dynamic-groups Command
************** GROUP ************** Group object class : dxDynamicGroupsOfNames Group Search URL : dxMemberURL Member to Append : member Member to Exclude : dxExcludeMember