|
Oracle® Internet Directory Administrator's Guide,
10g Release 2 (10.1.2) B14082-02 |
|
 Previous |
 Next |
|
Oracle® Internet Directory Administrator's Guide,
10g Release 2 (10.1.2) B14082-02 |
|
|
Previous |
Next |
This chapter explains how to administer both static and dynamic groups in Oracle Internet Directory. This chapter contains these topics:
Oracle Internet Directory enables you to assign and manage membership in two types of groups—namely, static groups and dynamic groups. Each type of group suited for a different purpose.
This section contains these topics:
A static group is one whose entry contains a list of members that you explicitly administer.
A static group requires you to explicitly administer its membership. For example, if a member changes his name, then you need to change that user's DN for each group he belongs to. For this reason, a static group is best suited for a group whose membership is unlikely to change frequently. Moreover, because a static group contains a list of member DNs, its footprint in the directory increases with the membership list. For this reason, it is best suited for a group whose entries take up relatively less space in the directory.
When you create the entry for this kind of group, you associate it with either the groupOfNames or groupOfUniqueNames object class.
Each of these object classes has a multivalued attribute for storing the names of group members. To assign a user as a member of a group, you add the DN of each member to the respective multivalued attribute. Conversely, to remove a member from a group, you delete the member's DN from the respective attribute. In the groupOfNames object class, this multivalued attribute is member, and, in the groupOfUniqueNames object class, it is uniqueMember.
A dynamic group is one whose membership, rather than being maintained in a list, is computed on the fly, based on rules and assertions you specify. For example, suppose that you want to send an e-mail to all users in the ou=americas naming context. To do this, you create a dynamic group in which you specify ou=americas as the naming context of interest. You further specify that you want only e-mail addresses returned. When the e-mail application queries the directory for that particular group, the directory server computes the membership dynamically and returns the corresponding list of e-mail addresses.
To use another example, suppose you want to send an e-mail to all employees who report to a manager named Anne Smith. In this case, you do not specify a naming context, as in the previous example. Instead, you create a dynamic group specifying that you want to retrieve the e-mail addresses of all employees reporting to Anne Smith. As in the previous example, when the e-mail application queries the directory for that particular group, the directory server computes the membership dynamically and returns the corresponding list of e-mail addresses.
|
Note: In this example, the e-mail application specifies that the directory server is to read the specific attributes of the members rather than the membership lists. It does this by passing the control 2.16.840.1.113894.1.8.5.Also, when querying for the groups that a user belongs to, the application can direct that dynamic groups, in addition to static groups, be queried. For this to happen, it passes the control 2.16.840.1.113894.1.8.7. If this control is not passed, then only static groups are queried. For more information on controls used by Oracle Internet Directory, see "About LDAP Controls" in Oracle Identity Management User Reference. |
When you create a dynamic group, you begin as when creating a static group—that is, you associate its entry with either the groupOfNames or groupOfUniqueNames object class. You then associate that object class with the auxiliary object class orclDynamicGroup. This auxiliary object class has various attributes in which you specify one of two methods for dynamically computing the membership of the group.
The two methods are:
Using the labeledURI attribute
When using this method, the directory server performs a typical search based on the hierarchy of the DIT. It requires you to provide a value for one of the attributes of the orclDynamicGroup object class, namely labeledURI. In this attribute, you specify the base of the query, the filters, and any required attributes. For example, suppose that you have entered the following value for the labeledURI attribute:
labeledURI:ldap://host/"ou=NewUnit,o=MyCompany,c=US"??sub" (objectclass=person)
When you use this method, a search for the entry returns entries for all members of the group.
Do not set orclConnectByAttribute or orclConnectByStartingValue when using the labeledURI attribute method.
|
See Also: "The LDAP URL Format" (RFC 2255). T. Howes, M. Smith, December 1997. This RFC provides more information about how LDAP URLs are to be represented—as, for example, in thelabeledURI attribute. It is available on the World Wide Web at http://www.ietf.org.
|
Unlike the previous method, this method relies not on the hierarchy of the DIT, but on attributes that implicitly connect entries to each other, regardless of their location in the DIT. For example, the manager attribute connects the entries of employees with those of their managers, and this connection applies regardless of the location of the employee entries in the DIT. This method uses a CONNECT BY clause in which you specify the attribute to use for building the hierarchy—for example, manager—and the starting value for such a hierarchy—for example, cn=Anne Smith.
More specifically, to use this method, you specify in the orclDynamicGroup object class a value for each of the single-valued attributes in Table 9-1.
Table 9-1 orclDynamicGroup Attributes for "Connect By" Assertions
| Attribute | Description |
|---|---|
|
orclConnectByAttribute |
The attribute that you want to use as the filter for the query—for example, |
|
orclConnectByStartingValue |
The DN of the attribute you specified in the |
Do not set labeledURI when using the CONNECT BY assertion method.
For example, to retrieve the entries of all employees who report to Anne Smith in the MyOrganizational Unit in the Americas, you would provide values for these attributes as follows:
orclConnectByAttribute=manager orclConnectByStartingValue= "cn=Anne Smith,ou=MyOrganizationalUnit,o=MyCompany,c=US"
You can also develop an application specifying that you want the values for a particular attribute—for example, the email attribute—of all the members.
|
See Also: Oracle Identity Management Application Developer's Guide for more information about how to develop applications that retrieve values for particular attributes |
This version of Oracle Internet Directory does not support the use of dynamic groups in access control lists. You cannot associate dynamic groups with either the orclACPgroup or the orclPrivilegeGroup object class.
When querying dynamic group for required attributes of the member, this release supports reading the attributes only of members not explicitly listed in the membership list. Also, in this case, an ldapsearch filter based on membership—that is, member or uniqueMember—cannot be applied to the dynamic group object.
The hierarchical group resolution query works only for static groups. If a dynamic groups is a member of a static group, then the query to resolve the entire hierarchy of the groups does not evaluate the dynamic groups. Thus, if a static Group A is a member of another static Group B which in-turn is a member of static Group C, then the query to compute all the groups that a user is a member of (assuming the user is a member of static Group A) correctly returns groups A, B, and C. However, if group C is a dynamic group, then the same query returns only Groups A and B.
The CONNECT BY query to resolve implicit hierarchies works only with the equality filter. The base of the search is not used while executing this kind of query.
Hierarchies can be either explicit or implicit.
In explicit hierarchies, the relationship is determined by the location of the entry in the DIT—for example, Group A may reside higher in the DIT than Group B.
In implicit hierarchies, the relationship between entries is determined not by the location in the DIT, but by the values of certain attributes. For example, suppose that you have a DIT in which the entry for John Doe is at the same level of the hierarchy as Anne Smith. However, suppose that, in the entry for John Doe, the manager attribute specifies Anne Smith as his manager. In this case, although their locations in the DIT are at an equal level, their rankings in the hierarchy are unequal because Anne Smith is specified as John Doe's manager.
|
Note: If you create a hierarchical group, be sure that it is truly hierarchical. For example, in a true hierarchy, Group A can be a member of Group B, but Group B cannot at the same time be a member of Group A. Because the latter relationship is cyclical, a search for the members of Group A fails.In a query based on an implicit hierarchy, the client can specify in the search request the control 2.16.840.1.113894.1.8.3. The filter in this query specifies the attribute used to build the implicit hierarchy. For example, For more information on controls used by Oracle Internet Directory, see "About LDAP Controls" in Oracle Identity Management User Reference. |
An application can query either kind of group to do the following:
List all members of a group
List all groups of which a user is a member
Check to see if a user is a member of a particular group
In addition, you can query dynamic groups, but not static ones, for whatever member attributes you specify.
When deliberating about which kind of group to use, you need to weigh the ease of administration against higher performance. For example, dynamic groups provide for easier administration, but cause a decrease in performance. Table 9-2 lists some things to consider when deliberating whether to use static or dynamic groups.
Table 9-2 Static and Dynamic Group Considerations
| Consideration | Static Groups | Dynamic Groups |
|---|---|---|
|
Ease of administration |
More difficult to administer if group memberships are large and change frequently |
Easier to use, especially when group memberships are large and change frequently |
|
Performance |
Higher level of performance because you explicitly administer the membership list |
Decreased level of performance because memberships are computed on the fly |
|
Size of footprint in the directory |
Larger footprint depending on the size of group memberships |
Small footprint regardless of size of group memberships |
This section contains these topics:
Managing Static Group Entries by Using Oracle Directory Manager
Managing Dynamic Groups by Using Command-Line Tools
|
Note: If you are creating a hierarchy of groups, be sure that it is a true hierarchy as described in "Hierarchies". |
|
See Also:
|
You can use Oracle Directory Manager to both create and modify static group entries.
If the entry belongs to the groupOfNames object class, then you determine membership in the group by adding DNs to the multivalued attribute member. If the entry belongs to the groupOfUniqueNames object class, then you determine membership in the group by adding DNs to the multivalued attribute uniqueMember.
To add a static group entry:
Expand in succession Oracle Internet Directory Servers and directory server instance.
Select Entry Management.
On the toolbar, choose Create. The New Entry dialog box appears.
In the Distinguished Name field, type the full DN. You may also use Browse to locate the DN of the parent for the entry you want to add, then type the RDN for the new entry, followed by a comma, to the left of that parent DN.
To specify the object classes you want to use for the new entry, to the right of the Object Classes box, choose Add. The Super Class Selector dialog box appears.
Enter the mandatory and optional attributes for your group entry.
If you selected the groupOfNames object class, a Browse button appears next to some of the fields, for example, the member field on the Mandatory Properties tab page. To enter a mandatory property by browsing:
Choose Browse. The Directory: Entry Management dialog box appears.
Use this dialog box to search for a particular entry you want to add to the list.
In the Distinguished Name window of the Directory: Entry Management dialog box, select the entry, then choose OK. This returns you to the New Entry dialog box. The entry you just selected is added to the list in the members window.
Choose OK.
To modify the member list for a group entry:
Perform a search for the group entry you want to modify.
In the right pane, in the Distinguished Name box, select the group entry you want to modify.
Choose Edit.
In the Entry dialog box, scroll to the text area for the member attribute and modify the value.
Choose OK.
This section provides examples of how you create and modify static group entries.
The syntax for the LDIF file is:
dn: DN_of_group_entry objectclass: top objectclass: [groupOfNames] [groupOfUniqueNames] member: DN of member 1 member: DN of member 2 . . . member: DN of member N
The following command adds this LDIF file to the directory:
ldapadd -p port_number -h host -f file_name.ldif
Example: Creating a Static Group Entry by Using ldapadd The following example shows an LDIF file named myStaticGroup.ldif for the entry for a group named MyStaticGroup:
dn: cn=myStaticGroup,c=us objectclass: top objectclass: groupOfNames member: cn=John Doe member: cn=Anne Smith
The following command adds this LDIF file to the directory:
ldapadd -p 389 -h myhost -f myStaticGroup.ldif
To add a member to a group, the syntax of the LDIF file is:
dn: DN_of_group_entry changetype: modify add:member member:DN of member entry
To delete a member from a group, the syntax of the LDIF file is:
dn: DN of group entry changetype: modify delete:member member:DN of member entry
Issue this command to modify the file:
ldapmodify -p 389 -v -f file_name.ldif
where -v specifies verbose mode.
Example: Modifying a Static Group by Using ldapmodify The following example adds John Doe to a group named MyStaticGroup. As in the previous example, the data for this user entry is in the myStaticGroup.ldif file. This file contains the following:
dn: cn=myStaticGroup,c=us changetype: modify add:member member: cn=John Doe
Issue this command to modify the file:
ldapmodify -p 389 -v -f myStaticGroup.ldif
where -v specifies verbose mode.
|
Note: When you add or modify an entry, the Oracle directory server does not verify the existence of the entry. However, if the attribute value must contain a DN, then the directory server verifies that the DN is specified. |
This section provides examples of the two kinds of dynamic group entries.
The following is an example of a dynamic group entry using the labeledURI attribute.
dn: cn=dgroup1 cn: dgroup1 description: this is an example of a dynamic group labeleduri:ldap://hostname:7777/ou=oid,l=amer,dc=oracle, dc=dgrptest??sub?objectclass=person objectclass: orcldynamicgroup objectclass: groupOfUniqueNames objectclass: top
This group will have uniquemember values that are the DNs of all entries associated with the object class person in the subtree ou=oid,l=amer,dc=oracle,dc=dgrptest.
The following is an example of a dynamic group entry that uses the CONNECTBY assertion.
dn: cn=dgroup2 cn: dgroup21 description: this is connect by manager assertion dynamic group orclconnectbyassertionbase: l=amer,dc=oracle,dc=dgrptest orclconnectbyattribute: mana orclconnectbystartingvalue: cn=john doe sr. objectclass: orcldynamicgroup objectclass: groupOfUniqueNames objectclass: top
This dynamic group has unique members with values that are DNs of all the entries whose manager attribute is cn=john doe sr. either indirectly or directly. If several individuals have cn=john doe JR. as their manager, and he, in turn, has cn=john doe SR. as his manager, then all the lower-level individuals are returned.
You can use Oracle Directory Manager to both create and modify static group entries.
If the entry belongs to the groupOfNames object class, then you determine membership in the group by adding DNs to the multivalued attribute member. If the entry belongs to the groupOfUniqueNames object class, then you determine membership in the group by adding DNs to the multivalued attribute uniqueMember.
To add a dynamic group entry:
Expand Oracle Internet Directory Servers, then directory server instance.
Select Entry Management.
On the toolbar, choose Create. The New Entry dialog box appears.
In the Distinguished Name field, type the full DN. You may also use Browse to locate the DN of the parent for the entry you want to add, then type the RDN for the new entry, followed by a comma, to the left of that parent DN.
To specify the object classes you want to use for the new entry, to the right of the Object Classes box, choose Add. The Super Class Selector dialog box appears.
Enter the mandatory and optional attributes for your group entries.
If you are using the labeledURI method for dynamically computing membership in the group, you must set the labeledURI attribute, but not the orclConnectByAttribute and orclConnectByStartingValue attributes. In the Optional Properties tab page, in the labeledURI field, specify the following:
ldap:ldap_URL
For example:
ldap://my_host/ou=MyNeworganizationalUnit, o=MyCompany,c=US??sub?(objectclass=person)
If you are using the CONNECT BY method for dynamically computing membership in the group, you must set the orclConnectByAttribute and orclConnectByStartingValue attributes, but not the labeledURI attribute. In the orclConnectByAttribute field, specify the attribute that you want to use as the filter for the query—for example, manager. In the orclConnectByStartingValue field, specify the DN of the attribute you specified in the orclConnectByAttribute attribute—for example, cn=Anne Smith.
For information about specifying the other attributes that appear in the Optional Properties tab page, see "User and Group Schema Elements" in Oracle Identity Management User Reference.
If you selected the groupOfNames object class, a Browse button appears next to some of the fields, for example, the member field on the Mandatory Properties tab page. If you choose Browse, the Directory: Entry Management dialog box appears. Use this dialog box to search for a particular entry you want to add to the list. Then, in the Distinguished Name window of the Directory: Entry Management dialog box, select the entry and choose OK. This returns you to the New Entry dialog box. The entry you just selected is added to the list in the members window.
Choose OK.
To modify the member list for a dynamic group entry:
Perform a search for the group entry you want to modify.
In the right pane, in the Distinguished Name box, select the group entry you want to modify.
Choose Edit.
In the Entry dialog box, scroll to the text area for the member attribute and modify the value.
Choose OK.
This section tells you how to create and modify dynamic groups by using command-line tools.
If you use the labeledURI attribute, then the syntax for the LDIF file is:
dn: DN_of_group_entry objectclass: top objectclass: [groupOfNames] [groupOfUniqueNames] objectclass: orcldynamicgroup labeledURI:ldap:ldap_URL member: DN of member 1 member: DN of member 2 . . . member: DN of member N
The following command adds this LDIF file to the directory:
ldapadd -p port_number -h host -f file_name.ldif
If you use the CONNECT BY string, then the syntax for the LDIF file is:
dn: DN_of_group_entry objectclass: top objectclass: [groupOfNames] [groupOfUniqueNames] objectclass: orclDynamicGroup orclConnectByAttribute:attribute_name orclConnectByStartingValue:DN_of_attribute member: DN of member 1
When specifying entries in this syntax, do not use double quotes around distinguished names.
The following example shows an LDIF file for the entry for a dynamic group:
dn: cn=myDynamicGroup,c=us objectclass: top objectclass: groupOfNames objectclass: orcldynamicgroup labeledURI:ldap://my_host/ou=MyNeworganizationalUnit, o=MyCompany,c=US??sub?(objectclass=person) member: cn=John Doe member: cn=Anne Smith
The following command adds this LDIF file to the directory:
ldapadd -p 389 -h myhost -f myDynamicGroup.ldif
To change the organizational unit of the group created in the previous example, the syntax of the LDIF file is:
dn: DN_of_group_entry
changetype: modify
replace:labeledURI
labeledURI:ldap://my_host/
ou=MyNeworganizationalUnit,o=MyCompany,c=US??sub?(objectclass=person)
|
Note: When you add or modify an entry, the Oracle directory server does not verify the syntax of the attribute values in the entry. |
