test

Oracle iPlanet Web Proxy Server 4.0.14 Administration Guide

How Dynamic Groups Are Implemented

Proxy Server implements dynamic groups in the LDAP server schema as objectclass=groupOfURLs. A groupOfURLs class can have zero or more memberURL attributes, each of which is an LDAP URL that describes a set of objects in the directory. The members of the group would be the union of these sets. For example, the following group contains just one member URL:

ldap:///o=mcom.com??sub?(department=marketing)

This example describes a set that consists of all objects below o=mcom.com whose department is marketing. The LDAP URL can contain a search base DN, a scope, and a filter, but not a host name and port. Therefore you can only refer to objects on the same LDAP server. All scopes are supported. For more information about LDAP URLs, see Guidelines for Creating Dynamic Groups.

The DNs are included automatically without having to add each individual to the group. The group changes dynamically because Proxy Server performs an LDAP server search each time a group lookup is needed for ACL verification. The user and group names used in the ACL file correspond to the cn attribute of the objects in the LDAP database.

Note –

Proxy Server uses the cn attribute as the group name for ACLs.

The mapping from an ACL to an LDAP database is defined both in the dbswitch.conf file (which associates the ACL database names with actual LDAP database URLs) and the ACL file (which defines which databases are to be used for which ACL). For example, if you want base access rights on membership in a group named staff, the ACL code looks up an object with an object class of groupOfanything and a CN set to staff. The object defines the members of the group, either by explicitly enumerating the member DNs (as is done for groupOfUniqueNames for static groups), or by specifying LDAP URLs (for example, groupOfURLs).

Note –

Groups can be both static and dynamic. A group object can have both objectclass=groupOfUniqueMembers and objectclass=groupOfURLs. Therefore, both uniqueMember and memberURL attributes are valid. The group’s membership is the union of its static and dynamic members.