Manualshelf

LDAP-UX Client Services B.04.15 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
71727374757677787980
4 Dynamic Group Support
This chapter contains information about how LDAP-UX Client Services supports dynamic groups,
how to set up dynamic groups, and how to enable or disable dynamic group caches. This chapter
includes the following sections:
“Overview” (page 73)
“Specifying an LDAP URL for a Dynamic Group” (page 73)
“Specifying a Search Filter for a Dynamic Group” (page 77)
“Multiple Group Attribute Mappings” (page 78)
“Number of Group Members Returned” (page 80)
“Number of Groups Returned for a Specific User” (page 80)
“Performance Impact for Dynamic Groups” (page 81)
“Configuring Dynamic Group Caches” (page 81)
4.1 Overview
A system administrator can associate some users with a group, and apply security policies (e.g.
access control, password policies) to the group. As a result, all users belonging to the group
inherit the specific policies, such as being able to access a file. In LDAP directories, there are two
types of groups: static groups and dynamic groups. A static group defines all users statically.
Each user must be added to the group individually and explicitly. Dynamic groups associate
users with a group based on conditions. The condition can be specified by an LDAP URL or a
search filter. When a users data matches with the conditions, she/he belongs to the dynamic
group. Dynamic groups offer the advantage of flexibility, and allow administrators to easily
implement a role-based authorization policy based upon a company's organizational structure.
Users can be added to or removed from a group dynamically based on his/her most current
status (such a value of one or more attributes in the users entry).
Since traditional POSIX-style groups are used largely to control file system access rights, dynamic
groups in LDAP-UX offers a new and flexible method for defining file system access policies.
For example, with file system access control lists (ACLs) it is possible to add group access
permission for users that are a member of a particular group (say the "top secret" group). With
dynamic groups, instead of needing to insert each individual member in the group, LDAP-UX
discovers all users in the directory that have the "top secret" attribute associated with their entries.
And when a user's attribute is no longer defined as "top secret", his/her group membership in
the "top secret" is automatically revoked (no need to make manual changes to the group).
LDAP-UX Client Services B.04.10 or later supports dynamic groups and allows you to configure
dynamic groups using the same syntaxes as the following directory servers and identity
management:
Netscape/Red Hat Directory Server
Windows 2003 and 2003 Release 2 (R2) Active Directory Server
HP Select Access and HP-UX Select Access for IdMI
4.2 Specifying an LDAP URL for a Dynamic Group
Netscape/Red Hat Directory Server defines the memberURL attribute and the groupOfURLs
objectclass to represent the dynamic group. All POSIX users who can be found using the LDAP
URL belong to the group.
4.2.1 Creating an HP-UX POSIX Dynamic Group
LDAP-UX Client Services only supports HP-UX POSIX dynamic groups. Use the following
procedures to create an HP-UX POSIX dynamic groups:
4.1 Overview 73