Manualshelf

Red Hat Directory Server 8.0 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Red Hat Directory Server Software
151152153154155156157158159160
To assign a particular role to a given entry.
To remove a particular role from a given entry.
Managed roles can do everything that can normally be done with static groups. The role
members can be filtered using filtered roles, similarly to the filtering with dynamic groups. Roles
are easier to use than groups, more flexible in their implementation, and reduce client
complexity.
However, evaluating roles is more resource-intensive because the server does the work for the
client application. With roles, the client application can check role membership by searching the
nsRole attribute. The nsRole attribute is a computed attribute, which identifies to which roles an
entry belongs; the nsRole attribute is not stored with the entry itself. From the client application
point of view, the method for checking membership is uniform and is performed on the server
side.
NOTE
The nsRole attribute is an operational attribute. In LDAP, operational attributes
must be requested explicitly in the search attributes list; they are not returned by
default with the regular attributes in the schema of the entry. For example, this
ldapsearch command returns the list of roles of which uid=scarter is a
member, in addition to the regular attributes for the entry:
ldapsearch ... args ... “(uid=scarter)” \* nsRole
Be sure to use the nsRole attribute, not the nsRoleDN attribute, to evaluate role
membership.
The Console will automatically show the roles.
Each role has members, or entries that possess the role. Members can be specified either
explicitly or dynamically. How role membership is specified depends upon the type of role.
Directory Server supports three types of roles:
Managed roles have an explicit enumerated list of members.
Filtered roles are assigned entries to the role depending upon the attribute contained by each
entry, specified in an LDAP filter. Entries that match the filter are said to possess the role.
Nested roles are roles that contain other roles.
The concept of activating/inactivating roles allows entire groups of entries to be activated or
inactivated in just one operation. That is, he members of a role can be temporarily disabled by
Chapter 5. Managing Entries with Roles, Class of Service, and Views
132