Exit Print View

Sun OpenDS Standard Edition 2.0 Administration Guide

Get PDF Book Print View
 

Document Information

Configuring the Directory Server

Configuring Security in the Directory Server

Managing Directory Data

Controlling Access To Data

Replicating Data

Managing Users and Groups

Managing Root User, Global Administrator, and Administrator Accounts

Working With Multiple Root Users

Root Users and the Privilege Subsystem

Managing Root Users With dsconfig

To View the Default Root User Privileges

To Edit the Default Root User Privileges

To Create a Root User

To Change a Root User's Password

To Change a Root User's Privileges

Setting Root User Resource Limits

Managing Global Administrators

Managing Administrators

To Create a New Administrator

Managing Password Policies

Password Policy Components

Password Policies in a Replicated Environment

To View the List of Password Policies

Properties of the Default Password Policy

To View the Properties of the Default Password Policy

Configuring Password Policies

To Create a New Password Policy

To Create a First Login Password Policy

To Assign a Password Policy to an Individual Account

To Prevent Password Policy Modifications

To Assign a Password Policy to a Group of Users

To Delete a Password Policy

Managing User Accounts

Changing Passwords

To Change the Directory Manager's Password

To Reset and Generate a New Password for a User

To Change a User's Password

Managing a User's Account Information

To View a User's Account Information

To View Account Status Information

To Disable an Account

To Enable an Account

Setting Resource Limits on a User Account

To Set Resource Limits on an Account

Defining Groups

Defining Static Groups

To Create a Static Group With groupOfNames

To Create a Static Group With groupOfUniqueNames

To Create a Static Group With groupOfEntries

To List All Members of a Static Group

To List All Static Groups of Which a User Is a Member

To Determine Whether a User is a Member of a Group

Defining Dynamic Groups

To Create a Dynamic Group

To List All Members of a Dynamic Group

To List All Dynamic Groups of Which a User Is a Member

To Determine Whether a User Is a Member of a Dynamic Group

Defining Virtual Static Groups

To Create a Virtual Static Group

To List All Members of a Virtual Static Group

To List All Virtual-Static Groups of Which a User Is a Member

To Determine Whether a User is a Member of a Virtual Static Group

Defining Nested Groups

To Create a Nested Group

Maintaining Referential Integrity

Overview of the Referential Integrity Plug-In

To Enable the Referential Integrity Plug-In

Simulating DSEE Roles in an OpenDS Directory Server

To Determine Whether a User is a Member of a Role

To Alter Membership by Using the nsRoleDN Attribute

Directory Server Monitoring

Improving Performance

Advanced Administration

Defining Static Groups

A static group is one whose entry contains a membership list of explicit DNs. Many clients support static groups, but static groups are difficult to manage as the number of members in a group increases in size. For example, if you have a member entry that requires a DN change, then you must change the user's DN for each group she belongs to.

Because a static group contains a list of explicit member DNs, its database footprint increases as the membership list grows. For this reason, a static group is best suited for small groups (less than 10,000) whose entries do not change frequently. Using large static groups can have a detrimental impact on performance. If you know that group membership will exceed 10,000, consider using dynamic groups instead.

Figure shows a static group definition

The directory server supports the following three types of static groups, divided according to the object class they use:

To Create a Static Group With groupOfNames

  1. Create the group entry in LDIF, including the group name (cn) and the groupOfNames object class.

    This example shows an LDIF file, named static-group1.ldif, that defines the new group.

    dn: cn=Directory Administrators,ou=Groups,dc=example,dc=com
    cn: Directory Administrators
    objectclass: top
    objectclass: groupOfNames
    ou: Groups
    member: uid=ttully,ou=People,dc=example,dc=com
    member: uid=charvey,ou=People,dc=example,dc=com
    member: uid=rfisher,ou=People,dc=example,dc=com
  2. Add the group by using ldapmodify to apply the LDIF file.
    $ ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password \
      --defaultAdd --filename static-group1.ldif
    Processing ADD request for cn=Directory Administrators,ou=Groups,dc=example,dc=com
    ADD operation successful for DN cn=Directory
    Administrators,ou=Groups,dc=example,dc=com

To Create a Static Group With groupOfUniqueNames

  1. Create the group entry in LDIF, including the group name (cn) and the groupOfUniqueNames object class.

    This example shows an LDIF file, named static-group2.ldif, that defines the new group.

    dn: cn=Directory Administrators2,ou=Groups,dc=example,dc=com
    cn: Directory Administrators2
    objectclass: top
    objectclass: groupOfUniqueNames
    ou: Groups
    uniquemember: uid=alangdon,ou=People,dc=example,dc=com
    uniquemember: uid=drose,ou=People,dc=example,dc=com
    uniquemember: uid=polfield,ou=People,dc=example,dc=com
  2. Add the group by using ldapmodify to apply the LDIF file.
    $ ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password \
      --defaultAdd --filename static-group2.ldif
  3. Verify the change by using ldapsearch and the isMemberOf attribute.
    $ ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password \
      --baseDN dc=example,dc=com "(uid=rdaugherty)" isMemberOf
    dn: uid=alangdon,ou=People,dc=example,dc=com
    isMemberOf: cn=Directory Administrators2,ou=Groups,dc=example,dc=com

To Create a Static Group With groupOfEntries

  1. Create the group entry in LDIF, including the group name (cn) and the groupOfEntries object class.

    This example shows an LDIF file, named static-group3.ldif, that defines the new group.

    dn: cn=Directory Administrators3,ou=Groups,dc=example,dc=com
    cn: Directory Administrators3
    objectclass: top
    objectclass: groupOfEntries
    ou: Groups
    member: uid=bfrancis,ou=People,dc=example,dc=com
    member: uid=tjames,ou=People,dc=example,dc=com
    member: uid=bparker,ou=People,dc=example,dc=com
  2. Add the group by using ldapmodify to apply the LDIF file.
    $ ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password \
      --defaultAdd --filename static-group3.ldif
  3. Verify the change by using ldapsearch and the isMemberOf attribute.
    $ ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password \
      --baseDN dc=example,dc=com "(uid=bparker)" isMemberOf
    dn: uid=bparker,ou=People,dc=example,dc=com
    isMemberOf: cn=Directory Administrators3,ou=Groups,dc=example,dc=com

To List All Members of a Static Group

You can use the isMemberOf virtual attribute to search for a group. The attribute is added to the user entry at the start of the search and then removed after the search has finished. This functionality provides easy management of groups with fast read access.

To List All Static Groups of Which a User Is a Member

To Determine Whether a User is a Member of a Group