LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)
5 Dynamic group support
This chapter contains information about how LDAP-UX Client Services supports dynamic groups,
how to set up dynamic groups, and how to enable or disable dynamic group caches.
5.1 Overview
A system administrator can associate some users with a group, and apply security policies (e.g.
access control, password policies) to the group. As a result, all users belong to the group inherit
the specific policies. In LDAP directories, there are two types of groups: static groups and dynamic
groups. A static group defines all users statically. Each user must be added to the group individually
and explicitly. Dynamic groups associate users with a group based on conditions. The condition
can be specified by a search filter. When a user’s data matches with the conditions, she/he belongs
to the dynamic group. Dynamic groups offer the advantage of flexibility, and allow administrators
to easily implement a role-based authorization policy based upon a company's organizational
structure. Users can be added to or removed from a group dynamically based on his/her most
current status (such a value of one or more attributes in the user’s entry).
Since traditional POSIX-style groups are used largely to control file system access rights, dynamic
groups in LDAP-UX offers a new and flexible method for defining file system access policies. For
example, with file system access control lists (ACLs) it is possible to add group access permission
for users that are a member of a particular group (say the "top secret" group). With dynamic
groups, instead of needing to insert each individual member in the group, LDAP-UX discovers all
users in the directory that have the "top secret" attribute associated with their entries. And when
a user's attribute is no longer defined as "top secret", his/her group membership in the "top secret"
is automatically revoked (no need to make manual changes to the group).
LDAP-UX Client Services B.05.00 supports dynamic groups with Windows 2003 R2/2008 Active
Directory Server.
5.2 Specifying a search filter for a dynamic group
Authorization Manager in Windows 2003 R2/2008 allows users to create LDAP query groups.
LDAP query groups define group members by specifying a query (i.e. a search filter) using the
attribute msDS-AzLDAPQuery. LDAP query groups are dynamic groups because group entries
are retrieved dynamically based on a search filter. LDAP-UX supports LDAP query groups if those
groups are POSIX groups (that is, have PosixGroup objectclass and attributes).
5.2.1 Creating an HP-UX POSIX dynamic group
LDAP-UX only supports HP-UX POSIX dynamic groups on Windows Active Directory Server. Use
the following procedures to create an HP-UX POSIX dynamic group supported in Windows ADS:
1. Use Authorization Manager to create dynamic groups. See Section 5.2.1.1 (page 76) for
details.
2. Use ADSI Edit to add the POSIX group ID to the dynamic group entry created in Step 1. See
Section 5.2.1.2 (page 77) for details.
3. Configure the proxy user the read permissions to search dynamic groups in Windows ADS.
See Section 5.2.1.3 (page 78) for details.
5.2.1.1 Step 1: Creating a dynamic group ( a LDAP query group)
You can use Authorization Manager to create dynamic groups (LDAP query groups) for your
applications. Membership in an LDAP query group is determined using an LDAP query on a given
user object. For detailed information on how to create LDAP query groups using Authorization
Manager, refer to Dynamic Groups in Windows Server 2003 Authorization Manager, available
at the following web site:
76 Dynamic group support