LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

171

172

173

174

175

176

177

178

179

180

6.2.2.2 Step 2: Adding POSIX attributes to a dynamic group

Use ADSI Edit to add the following attribute (including POSIX group ID information) to the dynamic

group entry created in the preceding step.

• GidNumber attribute for Windows 2003 R2 or 2008 ADS

Example dynamic group entry

The following shows an example that includes the last three lines of the HP-UX POSIX dynamic

group entry for a Windows 2003 R2 or 2008 ADS. The GidNumber information added to the

dynamic group entry is shown in bold type.

objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=hp,DC=com

msDS-AzLDAPQuery: (cn=p*)

GidNumber: 10005

6.2.2.3 Step 3: Setting read permissions for the proxy user

The LDAP query groups (dynamic groups) created by Authorization Manager are not placed under

the CN=Users container. Authorization Manager creates its own authorization store objects (for

example, CN=dyngroup). By default, a regular user is not allowed to read LDAP entries under

those authorization store objects.

To support the dynamic group feature with LDAP-UX, you must configure the proxy user to grant

the read permissions for those authorization store objects. To grant the proxy user read permissions

for a sample authorization store object CN=dyngroup containing dynamic groups, perform the

following steps:

1. Bring up the console by starting mmc from run.

2. Add snap-in ADSI Edit.

3. Connect to the domain from Action.

4. Select the authorization store object CN=dyngroup and right-click on the Properties tab.

5. Select the Security tab on the Properties window.

6. Select Add on the Security window.

7. Add the proxy user and select OK.

8. In the Permissions dialog box, select the Allow box for the read permission.

9. Select Advanced on the Security window.

10. Select proxy user and then select Edit.

11. Select This object and all child objects from the Apply onto drop-down list in the dialog box.

12. On the permissions dialog box, verify that the List Contents, Read All Properties and Read

Permissions selections are selected.

To support dynamic groups with LDAP-UX, you must configure the proxy user to grant the read

permissions for each authorization store object in Windows ADS. If you configure dynamic groups

for more than one domain, repeat the steps outlined in this section for every domain that you want

to support with LDAP-UX.

6.2.3 Changing an HP-UX POSIX static group to a dynamic group

For an HP directory server environment, to change an HP-UX POSIX static group to an HP-UX POSIX

dynamic group, use the Directory Server Console to add the following object class and attribute

information to the HP-UX POSIX static group:

• groupofurls object class

• memberURL attribute

176 Dynamic group support