HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

221

222

223

224

225

226

227

228

229

230

NOTE:

The Console for managing dynamic groups may not display all possible selections during a

search operation if there is no VLV index for users' search. This problem can occur when the

number of users is 1000 or more and there is no VLV index for search. To work around the

problem, create a VLV index for the users suffix with the filter (objectclass=person) and

scope sub-tree.

5.4.3 Creating and managing groups in the command line

Creating both static and dynamic groups from the command line is a similar process. A group

entry contains the group name, the type of group, and a members attribute.

There are several different options for the type of group; these are described in more detail in

the HP-UX Directory Server schema reference. The type of group in this case refers to the type of

defining member attribute it has:

• groupOfNames is a simple group, that allows any entry to be added. The attribute used to

determine members for this is member.

• groupOfUniqueNames, like groupOfNames, simply lists user DNs as members, but the

members must be unique. This prevents users being added more than once as a group

member, which is one way of preventing self-referential group memberships. The attribute

used to determine members for this is uniqueMember.

• groupOfURLs uses a list of LDAP URLs to filter and generate its membership list. This

object class is required for any dynamic group and can be used in conjunction with

groupOfNames and groupOfUniqueNames.

• groupOfCertificates is similar to groupOfURLs in that it uses an LDAP filter to search

for and identify certificates (or, really, certificate names) to identify group members. This is

useful for group-based access control, because the group can be given special access

permissions. The attribute used to determine members for this is memberCertificate.

Table 5-2 “Dynamic and static group schema” lists the default attributes for groups as they are

created from the command line.

Table 5-2 Dynamic and static group schema

Member attributesGroup object classesType of group

uniqueMembergroupOfUniqueNamesStatic

memberURLgroupOfUniqueNames

groupOfURLs

Dynamic

A static group entry lists the specific members of the group. For example:

ldapmodify -a -D "cn=directory manager" -w secret -p 389 -h server.example.com

dn: cn=static group,ou=Groups, dc=example, dc=com

objectClass: top

objectClass: groupofuniquenames

cn: static group

description: Example static group

uniqueMember: uid=mwhite, ou=People, dc=example,dc=com

uniqueMember: uid=awhite, ou=People, dc=example,dc=com

A dynamic group uses at least one LDAP URL to identify entries belonging to the group and

can specify multiple LDAP URLs or, if used with another group object class like

groupOfUniqueNames, can explicitly list some group members along with the dynamic LDAP

URL.

ldapmodify -a -D "cn=directory manager" -w secret -p 389 -h server.example.com

dn: cn=dynamic group,ou=Groups, dc=example, dc=com

226 Organizing entries with roles, class of service, and views