Manualshelf

HP-UX Directory Server 8.1 deployment guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server
41424344454647484950
In a hosting environment, include the following attributes in the organization's entry:
o
objectClass with values of top and organization
4.2.3.4 Naming other kinds of entries
The directory contains entries that represent many things, such as localities, states, countries,
devices, servers, network information, and other kinds of data.
For these types of entries, use the cn attribute in the RDN if possible. Then, for naming a group
entry, name it something like cn=administrators, dc=example,dc=com.
However, sometimes an entry's object class does not support the commonName attribute. Instead,
use an attribute that is supported by the entry's object class.
There does not have to be any correspondence between the attributes used for the entry's DN
and the attributes actually used in the entry. However, a correspondence between the DN
attributes and attributes used by the entry simplifies administration of the directory tree.
4.3 Grouping directory entries
After creating the required entries, group them for ease of administration. The Directory Server
supports several methods for grouping entries and sharing attributes between entries:
Using roles
Using class of service
The following sections describe each of these mechanisms in more detail.
4.3.1 About roles
Roles are an entry grouping mechanism. The directory tree organizes information hierarchically.
This hierarchy is a grouping mechanism, though it is not suited for short-lived, changing
organizations. Roles provide another grouping mechanism for more temporary organizational
structures.
Roles unify static and dynamic groups. Static groups create a group entry that contains a list of
members, while dynamic groups filter entries that contain a particular attribute and include
them in a single group.
Each entry assigned to a role contains the nsRole attribute, a computed attribute that specifies
all the roles to which an entry belongs. A client application can check role membership by
searching the nsRole attribute, which is computed by the directory and is therefore always
up-to-date.
Roles are designed to be more efficient and easier to use for applications. For example, applications
can locate the roles of an entry rather than select a group and browse the members list.
Roles can organize groups in a number of different ways:
Enumerate the members of the role.
Having an enumerated list of role members can be useful for resolving queries for group
members quickly.
Determine whether a given entry possesses a particular role.
Knowing the roles possessed by an entry can help determine whether the entry possesses
the target role.
Enumerate all the roles possessed by a given entry.
Assign a particular role to a given entry.
Remove a particular role from a given entry.
48 Designing the directory tree