LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
6 Dynamic group support
This chapter contains information about how LDAP-UX Client Services supports dynamic groups,
how to set up dynamic groups, and how to enable or disable dynamic group caches.
6.1 Overview
A system administrator can associate some users with a group, and apply security policies (such
as access control and password policies) to the group. As a result, all users belonging to the group
inherit the specific policies, such as being able to access a file. In LDAP directories, there are two
types of groups: static groups and dynamic groups. A static group defines all users statically. Each
user must be added to the group individually and explicitly. Dynamic groups associate users with
a group based on conditions. The condition may be specified by an LDAP web address (for an
HP directory server) or a search filter (for a Windows ADS). If a user’s data matches the specified
conditions, the user is a member of the dynamic group. Dynamic groups offer the advantage of
flexibility, and enable administrators to easily implement a role-based authorization policy based
upon a company's organizational structure. Users can be added to or removed from a group
dynamically based on the user's current status, such as the value of one or more attributes in the
user’s entry.
Since traditional POSIX-style groups are used largely to control file system access rights, dynamic
groups in LDAP-UX offers a new and flexible method for defining file system access policies. For
example, with file system ACLs, it is possible to add group access permission for users that are a
member of a particular group (say the "top secret" group). With dynamic groups, instead of
needing to insert each individual member in the group, LDAP-UX discovers all users in the directory
that have the "top secret" attribute associated with their entries. And when a user's attribute is no
longer defined as "top secret", the user's group membership in "top secret" is automatically revoked
(you do not have to make manual changes to the group).
LDAP-UX Client Services supports dynamic groups and allows you to configure dynamic groups
using the same syntaxes as the following directory servers and identity management:
• HP-UX Directory Server or Red Hat Directory Server
• Windows Server 2003 R2 or 2008 Active Directory Server
6.2 Creating an HP-UX dynamic group
LDAP-UX Client Services only supports HP-UX POSIX dynamic groups. To create an HP-UX POSIX
dynamic group in an HP directory server environment, follow the steps in Section 6.2.1 (page 173).
To create one in a Windows ADS environment, follow the steps in Section 6.2.2 (page 175).
6.2.1 Creating an HP-UX POSIX dynamic group in an HP directory server environment
HP-UX Directory Server and Red Hat Directory Server define the memberURL attribute and the
groupOfURLs object class to represent the dynamic group. All POSIX users who can be found
using the specified LDAP web address belong to the group.
To create an HP-UX POSIX dynamic group, follow these steps:
1. Use the Directory Server Console to create a dynamic group, as described in Section 6.2.1.1.
2. Add the posixgroup object class and gidNumber attribute information to the dynamic
group entry created in the preceding step, as described in Section 6.2.1.2 (page 174).
6.2.1.1 Step 1: Creating a dynamic group
Use the Directory Server Console to create a dynamic group. For detailed information about using
the Directory Server Console to create a dynamic group, see the HP-UX Directory Server
administrator guide available at:
6.1 Overview 173