LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

171

172

173

174

175

176

177

178

179

180

6.3 Multiple group attribute mappings

By default, LDAP-UX uses the memberUid attribute to retrieve group members. With the support

of X.500 group member syntax, you can map the default group attribute memberUid to member

or uniquemember (or to both), specifying group members using user DNs. With dynamic group

support in an HP directory server environment, LDAP-UX enables you to map memberUid to

memberURL (if you use HP-UX Directory Server or Red Hat Directory Server to create dynamic

groups) or nxSearchFilter (if you use HP OpenView Select Access or HP-UX Select Access for

IdMI to create dynamic groups). In a Windows ADS environment, if you use Authorization Manager

to create dynamic groups, LDAP-UX enables you to map memberUid to msDS-AzLDAPQuery.

You can run the setup program and map memberUid to multiple attributes as needed. The

following output of /opt/ldapux/config/display_profile_cache in an HP directory

server environment shows that memberUid is mapped to static group attributes memberUid,

member, and uniquemember, and to dynamic group attribute memberURL:

Group Service Configuration:

Attribute: is mapped to:

----------- -------------

name: cn

gid: gidnumber

members: memberuid memberURL

member uniquemember

The following output of /opt/ldapux/config/display_profile_cache in a Windows

ADS environment shows that memberUid is mapped to static group attributes memberUid and

member, and to the dynamic group attribute msDS-AzLDAPQuery (this example assumes that

the directory server is Windows 2003 R2 ADS):

Group Service Configuration:

Attribute: is mapped to:

----------- -------------

name: cn

gid: gidnumber

members: memberuid msDS-AzLDAPQuery

member

LDAP-UX retrieves group members and processes groups that a specific user belongs to by looking

into all configured attributes. If needed, for a nonWindows environment, you can create a group

that includes both static and dynamic members. When returning group members, LDAP-UX will

return both static and dynamic members that belong to a specific group.

When processing dynamic group attributes in an HP directory server environment, to retrieve group

members, LDAP-UX combines the search filter of the passwd service from the profile with the search

filter specified in memberURL (for example, the last component in memberURL) or

nxSearchFilter. This ensures that group members returned are POSIX accounts and conform

to the configuration set for LDAP-UX.

In a Windows ADS environment, an LDAP query group specifies dynamic members using a search

filter. You retrieve group members, LDAP-UX uses the search base and search scope of the passwd

service from the profile, and combines the search filter of the passwd service from the profile with

the search filter specified by msDS-AzLDAPQuery. This ensures that group members returned are

POSIX accounts and conform to the configuration set for LDAP-UX.

6.3.1 Multiple group attribute mapping examples

The following output example of /opt/ldapux/config/display_profile_cache shows a

passwd service configuration established for a Windows ADS environment. This configuration is

the basis for the sample group entries that follow (it is applicable to both HP directory server and

Windows ADS environments).

178 Dynamic group support