LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

121

122

123

124

125

126

127

128

129

130

4 Dynamic group support

This chapter contains information about how LDAP-UX Client Services supports dynamic groups,

how to set up dynamic groups, and how to enable or disable dynamic group caches.

4.1 Overview

A system administrator can associate some users with a group, and apply security policies (e.g.

access control, password policies) to the group. As a result, all users belonging to the group

inherit the specific policies, such as being able to access a file. In LDAP directories, there are two

types of groups: static groups and dynamic groups. A static group defines all users statically.

Each user must be added to the group individually and explicitly. Dynamic groups associate

users with a group based on conditions. The condition can be specified by an LDAP URL or a

search filter. When a user’s data matches with the conditions, she/he belongs to the dynamic

group. Dynamic groups offer the advantage of flexibility, and allow administrators to easily

implement a role-based authorization policy based upon a company's organizational structure.

Users can be added to or removed from a group dynamically based on his/her most current

status (such a value of one or more attributes in the user’s entry).

Since traditional POSIX-style groups are used largely to control file system access rights, dynamic

groups in LDAP-UX offers a new and flexible method for defining file system access policies.

For example, with file system access control lists (ACLs) it is possible to add group access

permission for users that are a member of a particular group (say the "top secret" group). With

dynamic groups, instead of needing to insert each individual member in the group, LDAP-UX

discovers all users in the directory that have the "top secret" attribute associated with their entries.

And when a user's attribute is no longer defined as "top secret", his/her group membership in

the "top secret" is automatically revoked (no need to make manual changes to the group).

LDAP-UX Client Services supports dynamic groups and allows you to configure dynamic groups

using the same syntaxes as the following directory servers and identity management:

• HP-UX Directory Server or Redhat Directory Server

• Windows Server 2003 R2/2008 Active Directory Server

4.2 Specifying an LDAP URL for a dynamic group

HP-UX Directory Server and Redhat Directory Server define the memberURL attribute and the

groupOfURLs objectclass to represent the dynamic group. All POSIX users who can be found

using the LDAP URL belong to the group.

4.2.1 Creating an HP-UX POSIX dynamic group

LDAP-UX Client Services only supports HP-UX POSIX dynamic groups. Use the following

procedures to create an HP-UX POSIX dynamic groups:

1. Use the Directory Server Console to create a dynamic group, as described in Section 4.2.1.1.

2. Add the posixgroup objectclass and gidNumber attribute information to the dynamic

group entry created in the preceding step, as described in Section 4.2.1.2.

4.2.1.1 Step 1: Creating a dynamic group

You can use the Directory Server Console to create a dynamic group. For detailed information

on how to use the Directory Server Console to create a dynamic group, see the HP-UX Directory

Server administrator guide available at the following website:

http://www.hp.com/go/hpux-security-docs

Click HP-UX Directory Server.

4.1 Overview 121