Managing Group Entries

This section contains these topics:

• Managing Static Group Entries by Using Oracle Directory Manager

• Managing Static Group Entries by Using Command-Line Tools

• Managing Dynamic Groups by Using Oracle Directory Manager

• Managing Dynamic Groups by Using Command-Line Tools

  Note: If you are creating a hierarchy of groups, be sure that it is a true hierarchy as described in "Hierarchies".

  See Also: "Security Groups" for instructions on setting access control policies for group entries Globalization Support and Chapter 14, "Directory Access Control" for information about access privileges

Managing Static Group Entries by Using Oracle Directory Manager

You can use Oracle Directory Manager to both create and modify static group entries.

Creating Static Group Entries by Using Oracle Directory Manager

If the entry belongs to the groupOfNames object class, then you determine membership in the group by adding DNs to the multivalued attribute member. If the entry belongs to the groupOfUniqueNames object class, then you determine membership in the group by adding DNs to the multivalued attribute uniqueMember.

To add a static group entry:

1. Expand in succession Oracle Internet Directory Servers and directory server instance.

2. Select Entry Management.

3. On the toolbar, choose Create. The New Entry dialog box appears.

4. In the Distinguished Name field, type the full DN. You may also use Browse to locate the DN of the parent for the entry you want to add, then type the RDN for the new entry, followed by a comma, to the left of that parent DN.

5. To specify the object classes you want to use for the new entry, to the right of the Object Classes box, choose Add. The Super Class Selector dialog box appears.
   1. In the Super Class Selector dialog box, select the following object classes:
      • top

      • Either groupOfNames or groupOfUniqueNames

   2. Choose Select. The object classes you selected appear in the Object Classes window of the New Entry dialog box.

6. Enter the mandatory and optional attributes for your group entry.

   If you selected the groupOfNames object class, a Browse button appears next to some of the fields, for example, the member field on the Mandatory Properties tab page. To enter a mandatory property by browsing:

   1. Choose Browse. The Directory: Entry Management dialog box appears.

   2. Use this dialog box to search for a particular entry you want to add to the list.

   3. In the Distinguished Name window of the Directory: Entry Management dialog box, select the entry, then choose OK. This returns you to the New Entry dialog box. The entry you just selected is added to the list in the members window.

7. Choose OK.

Modifying a Static Group Entry by Using Oracle Directory Manager

To modify the member list for a group entry:

1. Perform a search for the group entry you want to modify.

2. In the right pane, in the Distinguished Name box, select the group entry you want to modify.

3. Choose Edit.

4. In the Entry dialog box, scroll to the text area for the member attribute and modify the value.

5. Choose OK.

Managing Static Group Entries by Using Command-Line Tools

This section provides examples of how you create and modify static group entries.

Creating a Static Group Entry by Using ldapadd

The syntax for the LDIF file is:

dn: DN_of_group_entry
objectclass: top
objectclass: [groupOfNames] [groupOfUniqueNames]
member: DN of member 1
member: DN of member 2
.
.
.
member: DN of member N

The following command adds this LDIF file to the directory:

ldapadd -p port_number -h host -f file_name.ldif

Example: Creating a Static Group Entry by Using ldapadd

The following example shows an LDIF file named myStaticGroup.ldif for the entry for a group named MyStaticGroup:

dn: cn=myStaticGroup,c=us
objectclass: top
objectclass: groupOfNames
member: cn=John Doe
member: cn=Anne Smith

The following command adds this LDIF file to the directory:

ldapadd -p 389 -h myhost -f myStaticGroup.ldif

Modifying a Static Group by Using ldapmodify

To add a member to a group, the syntax of the LDIF file is:

dn: DN_of_group_entry
changetype: modify
add:member
member:DN of member entry

To delete a member from a group, the syntax of the LDIF file is:

dn: DN of group entry
changetype: modify
delete:member
member:DN of member entry

Issue this command to modify the file:

ldapmodify -p 389 -v  -f file_name.ldif

where -v specifies verbose mode.

Example: Modifying a Static Group by Using ldapmodify

The following example adds John Doe to a group named MyStaticGroup. As in the previous example, the data for this user entry is in the myStaticGroup.ldif file. This file contains the following:

dn: cn=myStaticGroup,c=us
changetype: modify
add:member
member: cn=John Doe

Issue this command to modify the file:

ldapmodify -p 389 -v  -f myStaticGroup.ldif

where -v specifies verbose mode.

Note: When you add or modify an entry, the Oracle directory server does not verify the existence of the entry. However, if the attribute value must contain a DN, then the directory server verifies that the DN is specified.

Managing Dynamic Groups by Using Oracle Directory Manager

You can use Oracle Directory Manager to both create and modify static group entries.

Creating Dynamic Group Entries by Using Oracle Directory Manager

If the entry belongs to the groupOfNames object class, then you determine membership in the group by adding DNs to the multivalued attribute member. If the entry belongs to the groupOfUniqueNames object class, then you determine membership in the group by adding DNs to the multivalued attribute uniqueMember.

To add a dynamic group entry:

1. Expand in succession Oracle Internet Directory Servers and directory server instance.

2. Select Entry Management.

3. On the toolbar, choose Create. The New Entry dialog box appears.

4. In the Distinguished Name field, type the full DN. You may also use Browse to locate the DN of the parent for the entry you want to add, then type the RDN for the new entry, followed by a comma, to the left of that parent DN.

5. To specify the object classes you want to use for the new entry, to the right of the Object Classes box, choose Add. The Super Class Selector dialog box appears.
   1. In the Super Class Selector dialog box, select the following object classes:
      • top

      • orcldynamicgroup

      • Either groupOfNames or groupOfUniqueNames

   2. Choose Select. The object classes you selected appear in the Object Classes window of the New Entry dialog box.

6. Enter the mandatory and optional attributes for your group entries.

   In the Optional Properties tab page, in the labeledURI field, specify the following:

   ldap:ldap_URL
   
   

   For example:

   ldap://my_
   host/ou=MyNeworganizationalUnit,o=MyCompany,c=US??sub?(objectclass=person)
   
   

   In the orclConnectByAttribute field, specify the attribute that you want to use as the filter for the query--for example, manager.

   In the orclConnectByStartingValue field, specify the DN of the attribute you specified in the orclConnectByAttribute attribute--for example, cn=Anne Smith.

   For information about specifying the other attributes that appear in the Optional Properties tab page, see Appendix B, "Oracle Internet Directory Schema Elements".

   If you selected the groupOfNames object class, a Browse button appears next to some of the fields, for example, the member field on the Mandatory Properties tab page. If you choose Browse, the Directory: Entry Management dialog box appears. Use this dialog box to search for a particular entry you want to add to the list. Then, in the Distinguished Name window of the Directory: Entry Management dialog box, select the entry and choose OK. This returns you to the New Entry dialog box. The entry you just selected is added to the list in the members window.

7. Choose OK.

Modifying a Dynamic Group Entry by Using Oracle Directory Manager

To modify the member list for a dynamic group entry:

1. Perform a search for the group entry you want to modify.

2. In the right pane, in the Distinguished Name box, select the group entry you want to modify.

3. Choose Edit.

4. In the Entry dialog box, scroll to the text area for the member attribute and modify the value.

5. Choose OK.

Managing Dynamic Groups by Using Command-Line Tools

This section tells you how to create and modify dynamic groups by using command-line tools.

Creating a Dynamic Group Entry by Using ldapadd

If you use the labeledURI attribute, then the syntax for the LDIF file is:

dn: DN_of_group_entry
objectclass: top
objectclass: [groupOfNames] [groupOfUniqueNames]
objectclass: orcldynamicgroup
labeledURI:ldap:ldap_URL
member: DN of member 1
member: DN of member 2
.
.
.
member: DN of member N

The following command adds this LDIF file to the directory:

ldapadd -p port_number -h host -f file_name.ldif

If you use the CONNECT BY string, then the syntax for the LDIF file is:

dn: DN_of_group_entry
objectclass: top
objectclass: [groupOfNames] [groupOfUniqueNames]
objectclass: orclDynamicGroup
orclConnectByAttribute: attribute_name
orclConnectByStartingValue: DN_of_attribute
member: DN_of_member_1

When specifying entries in this syntax, do not use double quotes around distinguished names.

Example: Creating a Dynamic Group Entry by Using ldapadd

The following example shows an LDIF file for the entry for a dynamic group:

dn: cn=myDynamicGroup,c=us
objectclass: top
objectclass: groupOfNames
objectclass: orcldynamicgroup
labeledURI:ldap:

//my_host/ou=MyNeworganizationalUnit,o=MyCompany,c=US??sub?(objectclass=person)
member: cn=John Doe
member: cn=Anne Smith

The following command adds this LDIF file to the directory:

ldapadd -p 389 -h myhost -f myDynamicGroup.ldif

Example: Modifying a Dynamic Group by Using ldapmodify

To change the organizational unit of the group created in the previous example, the syntax of the LDIF file is:

dn: DN_of_group_entry
changetype: modify
replace:labeledURI
labeledURI:ldap:

//my_host/ou=MyNeworganizationalUnit,o=MyCompany,c=US??sub?(objectclass=person)

Note: When you add or modify an entry, the Oracle directory server does not verify the syntax of the attribute values in the entry.