Manualshelf

LDAP-UX Client Services B.04.10 Administrator's Guide (edition 7)

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
81828384858687888990
objectClass: nxRoleEntry
objectClass: posixgroup
objectClass: top
nxSearchScope: sub
nxSearchBaseDn: ou=Managing,dc=Example,dc=hp,dc=com
nxRole: Austine Managers
nxSearchFilter: (l=Austine)
cn: AustMgrs
gidNumber: 2000
NOTE: Unlike Netscape/Red Hat Directory dynamic groups, Select Access dynamic groups
require non-standard objectclass and attributes. You cannot change existing POSIX static groups
to Select Access POSIX dynamic groups without importing those objectclass and attributes. This
procedure is not supported.
Multiple Group Attribute Mappings
By default, LDAP-UX uses the memberUid attribute to retrieve group members. With the support
of X.500 group member syntax, you can map the default group attribute, memberUid, to member
or/and uniquemember, which you specify group members using user DNs. With dynamic group
support, LDAP-UX allows you to map memberUid to memberURL (if you use Netscape/Red Hat
Directory Server to create dynamic groups) or/and nxSearchFilter (if you use HP OpenView
Select Access or HP-UX Select Access for IdMI to create dynamic groups).
You can run the setup tool and map memberUid to multiple attributes as needed. For example,
the following output of /opt/ldapux/config/display_profile_cache shows that
memberUid is mapped to both static group attributes, memberUid, member and uniquemember,
and dynamic group attributes, memberURL and nxSearchFilter:
Group Service Configuration:
Attribute: is mapped to:
----------- -------------
name: cn
gid: gidnumber
members: memberuid memberURL nxSearchFilter
member uniquemember
LDAP-UX retrieves group members and processes groups that a specific user belongs to by
looking into all configured attributes. If needed, you can create a group which include both static
and dynamic members. When returning group members, LDAP-UX will return both static and
dynamic members that belong to a specific group.
When processing dynamic group attributes, LDAP-UX combines the search filter of the passwd
service from the profile with the search filter specified in membeURL (e.g. the last component in
memberURL) or nxSearchFilter to retrieve group members. This is to make sure that group
members returned are POSIX accounts and meet the configuration set for LDAP-UX.
Examples
The following is an example of the output of
/opt/ldapux/config/display_profile_cache:
PASSWD Service Configuration
Attribute: is mapped to:
---------- --------------
82 Dynamic Group Support