LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

objectClass: groupofurls
objectClass: posixgroup
objectClass: top
cn: dyngroup
memberURL: ldap:///dc=example,dc=hp,dc=com??sub?(l=California)
gidNumber: 500
6.2.2 Creating an HP-UX POSIX dynamic group in a Windows ADS environment
To create an HP-UX POSIX dynamic group in a Windows 2003 R2 or 2008 ADS environment,
use Authorization Manager. Authorization Manager creates an LDAP query group, which defines
group members by specifying a query (such as a search filter) using the attribute
msDS-AzLDAPQuery. LDAP query groups are dynamic groups in that group entries are retrieved
dynamically based on a search filter. LDAP-UX supports LDAP query groups only if they are POSIX
groups; that is, the groups must have PosixGroup object class and attributes.
To create an HP-UX POSIX dynamic group supported in Windows ADS, follow these steps:
1. Use Authorization Manager to create dynamic groups, as described in Section 6.2.2.1
(page 175).
2. Use ADSI Edit to add the POSIX group ID to the dynamic group entry created in the preceding
step, as described in Section 6.2.2.2 (page 176).
3. Configure the proxy user to grant read permissions for searching dynamic groups in Windows
ADS, as described in Section 6.2.2.3 (page 176).
6.2.2.1 Step 1: Creating a dynamic group (an LDAP query group)
Use Authorization Manager to create dynamic groups (LDAP query groups) for your applications.
Membership in an LDAP query group is determined using an LDAP query on a given user object.
For detailed information about creating LDAP query groups using Authorization Manager, see
Dynamic Groups in Windows Server 2003 Authorization Manager, available at the following
web site:
http://msdn2.microsoft.com/en-us/library/ms952382.aspx
Example of a dynamic group entry
The following shows an example of a dynamic group entry (LDAP query group) created using
Authorization Manager:
dn: CN=group1,CN=AzGroupObjectContainer-dyngroup,CN=dyngroup,
DC=hp,DC=com
objectClass: top
objectClass: group
cn: group1
description: my dynamic group
distinguishedName: CN=group1,CN=AzGroupObjectContainer-dyngroup,
CN=dyngroup,DC=hp,DC=com
instanceType: 4
whenCreated: 20060313181428.0Z
whenChanged: 20060313182629.0Z
uSNCreated: 16588
uSNChanged: 16597
name: group1
objectGUID:: 2qO9YxkqAUuwCmkMJ371DA==
objectSid:: AQUAAAAAAAUVAAAAuEKpalCWUfgTN3lpVwQAAA==
sAMAccountName: $N21000-OA67EGECFDSP
sAMAccountType: 1073741825
groupType: 32
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=hp,DC=com
msDS-AzLDAPQuery: (cn=p*)
6.2 Creating an HP-UX dynamic group 175