LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

121

122

123

124

125

126

127

128

129

130

4.2.2 Changing an HP-UX POSIX static group to a dynamic group

To change an HP-UX POSIX static group to an HP-UX POSIX dynamic group, use the Directory

Server Console to add the following objectclass and attribute information to the HP-UX POSIX

static group:

• groupofurls objectclass

• memberURL attribute

For detailed information on how to use the Directory Server Console to modify a group, see the

HP-UX Directory Server administrator guide available at the following website:

http://www.hp.com/go/hpux-security-docs

Click HP-UX Directory Server.

The following shows an example of an HP-UX POSIX static group entry:

dn: cn=all,ou=groups,dc=example,dc=hp,dc=com

objectClass: groupofuniquenames

objectClass: groupofnames

objectClass: posixgroup

objectClass: top

cn: all

gidNumber: 1000

memberuid: user1

After you add information for groupofurls and memberURL to the above HP-UX POSIX static

group entry, the HP-UX POSIX dynamic group entry is as follows:

dn: cn=all,ou=groups,dc=example,dc=hp,dc=com

objectClass: groupofuniquenames

objectClass: groupofnames

objectClass: groupofurls

objectClass: posixgroup

objectClass: top

cn: all

memberURL: ldap:///dc=example,dc=hp,dc=com??sub?(l=California)

gidNumber: 1000

memberuid: user1

Now, the group “all” contains both static group member (i.e. user1) and dynamic members

(i.e. all user entries which can be retrieved from the tree of dc=example,dc=hp,dc=com and

have an attribute with l=California).

4.3 Multiple group attribute mappings

By default, LDAP-UX uses the memberUid attribute to retrieve group members. With the support

of X.500 group member syntax, you can map the default group attribute, memberUid, to member

or/and uniquemember, which you specify group members using user DNs. With dynamic group

support, LDAP-UX allows you to map memberUid to memberURL (if you use HP-UX Directory

Server or Redhat Directory Server to create dynamic groups) or nxSearchFilter (if you use

HP OpenView Select Access or HP-UX Select Access for IdMI to create dynamic groups).

You can run the setup program and map memberUid to multiple attributes as needed. For

example, the following output of /opt/ldapux/config/display_profile_cache shows

that memberUid is mapped to both static group attributes, memberUid, member and

uniquemember, and dynamic group attribute memberURL:

Group Service Configuration:

Attribute: is mapped to:

124 Dynamic group support