Manualshelf

LDAP-UX Client Services B.04.10 with Microsoft Windows Active Directory Server Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
81828384858687888990
6 Dynamic Group Support
This chapter contains information about how LDAP-UX Client Services supports dynamic groups,
how to set up dynamic groups, and how to enable or disable dynamic group caches. This chapter
includes the following sections:
“Overview” (page 81)
“Specifying a Search Filter for a Dynamic Group” (page 81)
“Multiple Group Attribute Mappings” (page 84)
“Number of Group Members Returned” (page 87)
“Number of Groups Returned for a Specific User” (page 87)
“Performance Impact for Dynamic Groups” (page 88)
“Configuring Dynamic Group Caches” (page 88)
“Dynamic Group with Active Directory Server Multiple Domains” (page 89)
Overview
A system administrator can associate some users with a group, and apply security policies (e.g.
access control, password policies) to the group. As a result, all users belong to the group inherit
the specific policies. In LDAP directories, there are two types of groups: static groups and dynamic
groups. A static group defines all users statically. Each user must be added to the group
individually and explicitly. Dynamic groups associate users with a group based on conditions.
The condition can be specified by a search filter. When a users data matches with the conditions,
she/he belongs to the dynamic group. Dynamic groups offer the advantage of flexibility, and
allow administrators to easily implement a role-based authorization policy based upon a
company's organizational structure. Users can be added to or removed from a group dynamically
based on his/her most current status (such a value of one or more attributes in the users entry).
Since traditional POSIX-style groups are used largely to control file system access rights, dynamic
groups in LDAP-UX offers a new and flexible method for defining file system access policies.
For example, with file system access control lists (ACLs) it is possible to add group access
permission for users that are a member of a particular group (say the "top secret" group). With
dynamic groups, instead of needing to insert each individual member in the group, LDAP-UX
discovers all users in the directory that have the "top secret" attribute associated with their entries.
And when a user's attribute is no longer defined as "top secret", his/her group membership in
the "top secret" is automatically revoked (no need to make manual changes to the group).
LDAP-UX Client Services B.04.10 supports dynamic groups with Windows 2003 and 2003 Release
2 (R2) Active Directory Server.
Specifying a Search Filter for a Dynamic Group
Authorization Manager in Windows 2003 or 2003 R2 allows users to create LDAP query groups.
LDAP query groups define group members by specifying a query (i.e. a search filter) using the
attribute msDS-AzLDAPQuery. LDAP query groups are dynamic groups because group entries
are retrieved dynamically based on a search filter. LDAP-UX supports LDAP query groups if
those groups are POSIX groups (i.e. have PosixGroup objectclass and attributes).
Creating an HP-UX POSIX Dynamic Group
LDAP-UX only supports HP-UX POSIX dynamic groups on Windows Active Directory Server.
Use the following procedures to create an HP-UX POSIX dynamic group supported in Windows
ADS:
Overview 81