LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)
NOTE: If the enable_dynamic_getgroupsbymember variable is set to 0, LDAP-UX will still
return dynamic members for a specific group. If you don't want dynamic members returned, you
must not include the msDS-AzLDAPQuery attribute in the memberUid group attribute mappings,
which completely disable the dynamic group functionality with LDAP-UX.
5.7 Configuring dynamic group caches
To improve performance of dynamic groups, the ldapclient daemon, ldapclientd, caches
dynamic group members to reduce the LDAP-UX client response time while retrieving dynamic
group information. This cache is maintained in an independent memory space not shared with the
cache for other service data.
To configure dynamic group caches, set the parameters defined in the [dynamic_group] section
of the /etc/opt/ldapux/ldapxlientd.conf file. See Section 6.1.4 (page 85) for details.
5.8 Dynamic group with Active Directory Server multiple domains
LDAP-UX Client Services supports dynamic groups with the following limitations on ADS multiple
domains:
• For dynamic groups configured in the local domain (i.e. the domain whose profile is /etc/
opt/ldapux/ldapux_profile.ldif), LDAP-UX will return dynamic members for
getgrnam()/getgrgid()/getgrent(), and return dynamic groups that a user belongs
to.
• For dynamic groups configured in remote domains (i.e. those domains whose profiles are in
the directory /etc/opt/ldapux/domain_profiles), LDAP-UX will return dynamic members
for getgrnam()/getgrgid(), but not getgrent(). This is because LDAP-UX does not
support data enumeration with remote domains. When returning groups that a user belongs
to, LDAP-UX returns only those groups in the local domain (including static and dynamic
groups), but not groups in remote domains.
82 Dynamic group support