Oracle Internet Directory Administrator's Guide 10g (10.1.4.0.1) Part Number B15991-01 |
|
|
View PDF |
This chapter explains how to administer both static and dynamic groups in Oracle Internet Directory. This chapter contains these topics:
Oracle Internet Directory enables you to assign and manage membership in two types of groups—namely, static groups and dynamic groups. Each type of group suited for a different purpose.
This section contains these topics:
A static group is one whose entry contains a list of members that you explicitly administer.
A static group requires you to explicitly administer its membership. For example, if a member changes his name, then you need to change that user's DN for each group he belongs to. For this reason, a static group is best suited for a group whose membership is unlikely to change frequently. Moreover, because a static group contains a list of member DNs, its footprint in the directory increases with the membership list. For this reason, it is best suited for a group whose entries take up relatively less space in the directory.
When you create the entry for this kind of group, you associate it with either the groupOfNames
or groupOfUniqueNames
object class.
Each of these object classes has a multivalued attribute for storing the names of group members. To assign a user as a member of a group, you add the DN of each member to the respective multivalued attribute. Conversely, to remove a member from a group, you delete the member's DN from the respective attribute. In the groupOfNames
object class, this multivalued attribute is member
, and, in the groupOfUniqueNames
object class, it is uniqueMember
.
A dynamic group is one whose membership, rather than being maintained in a list, is computed, based on rules and assertions you specify. As of Oracle Internet Directory 10g (10.1.4.0.1), dynamic groups based on labeleduri
attributes are cached.
By cached, we mean that dynamic group members are computed when the dynamic group is added, and that the member list is kept consistent when the dynamic group is later modified. As entries are added, modified, deleted, and renamed, the member lists of all dynamic groups are kept consistent. For example, if there is a dynamic group containing all person
entries under "c=us
", when we add "cn=user1,c=us
", that entry is automatically added to the member list of the dynamic group. Similarly, when we delete "cn=user1,c=us
", the entry is removed from the dynamic group's member list. This feature ensures that whenever a search is performed for a dynamic group, the member list can be returned without any additional computation. The search performance for dynamic groups is now the same as for static groups.
Dynamic groups can have static as well as dynamic members. The static members are listed as values of the member
or uniquemember
attribute.
Note: Only dynamic groups based onlabeleduri attributes are cached. Dynamic groups based on CONNECT_BY assertion are not cached. |
Note: You cannot add a dynamic group based on thelabeledURI attribute with scope base . Only scope sub and one are supported. |
Note: To refresh dynamic group memberships, set the attributeorclrefreshdgrmems in the DSA Configuration entry to 1 . Oracle Internet Directory will recompute the member lists for all dynamic groups and reset the value of orclrefreshdgrmems to 0 . |
Note: As of 10g (10.1.4.0.1), when you query for the groups that a user belongs to, dynamic groups are automatically included in the result.In earlier releases, you had to pass a control to direct that dynamic groups, in addition to static groups, be queried. In releases prior to 10g (10.1.4.0.1), if this control was not passed, then only static groups were queried. For more information on controls used by Oracle Internet Directory, see "About LDAP Controls" in Oracle Identity Management User Reference. |
See Also:
|
As of Oracle Internet Directory 10g (10.1.4.0.1), you can use dynamic groups in the same ways you use static groups. For example, you can use them in:
Access control lists, by associating the group with either the orclACPgroup
or the orclPrivilegeGroup
object class.
Searches for required attributes of members. For dynamic groups, you would use the -G or the -C control to do this, and for static groups you would use the -C control.
Hierarchical group resolution queries
Dynamic groups have the following limitations in Oracle Internet Directory 10g (10.1.4.0.1):
Only dynamic groups based on labeleduri
attributes are cached. Dynamic groups based on CONNECT_BY
assertions are not cached.
Hierarchical queries and queries involving specific attributes of members can only be done on cached dynamic groups.
Dynamic groups can only be added using ldapadd
. They cannot be added by using bulkload
.
If the catalog
tool is used to drop and re-create the ct_member
or ct_uniquemember
catalog tables, the dynamic group member lists must be recomputed by setting the orclrefreshdgrmems
attribute of the DSA Configuration entry to 1
using ldapmodify
.
When you create a dynamic group, you begin as when creating a static group—that is, you associate its entry with either the groupOfNames
or groupOfUniqueNames
object class. You then associate that object class with the auxiliary object class orclDynamicGroup
. This auxiliary object class has various attributes in which you specify one of two methods for dynamically computing the membership of the group.
The two methods are:
Using the labeledURI
attribute
When using this method, the directory server performs a typical search based on the hierarchy of the DIT. It requires you to provide a value for one of the attributes of the orclDynamicGroup
object class, namely labeledURI
. In this attribute, you specify the base of the query, the filters, and any required attributes. For example, suppose that you have entered the following value for the labeledURI
attribute:
labeledURI:ldap://host:port/ou=NewUnit,o=MyCompany,c=US??sub? (objectclass=person)
When you use this method, a search for the entry returns entries for all members of the group.
Do not set orclConnectByAttribute
or orclConnectByStartingValue
when using the labeledURI
attribute method.
See Also: "The LDAP URL Format" (RFC 2255). T. Howes, M. Smith, December 1997. This RFC provides more information about how LDAP URLs are to be represented—as, for example, in thelabeledURI attribute. It is available on the World Wide Web at http://www.ietf.org . |
Unlike the previous method, this method relies not on the hierarchy of the DIT, but on attributes that implicitly connect entries to each other, regardless of their location in the DIT. For example, the manager
attribute connects the entries of employees with those of their managers, and this connection applies regardless of the location of the employee entries in the DIT. This method uses a CONNECT BY
clause in which you specify the attribute to use for building the hierarchy—for example, manager
—and the starting value for such a hierarchy—for example, cn=Anne Smith
.
See Also: Performing Hierarchical Searches in Oracle Identity Management Application Developer's Guide |
More specifically, to use this method, you specify in the orclDynamicGroup
object class a value for each of the single-valued attributes in Table 13-1.
Table 13-1 orclDynamicGroup Attributes for "Connect By" Assertions
Attribute | Description |
---|---|
orclConnectByAttribute |
The attribute that you want to use as the filter for the query—for example, |
orclConnectByStartingValue |
The DN of the attribute you specified in the |
Do not set labeledURI
when using the CONNECT BY
assertion method.
For example, to retrieve the entries of all employees who report to Anne Smith in the MyOrganizational Unit in the Americas, you would provide values for these attributes as follows:
orclConnectByAttribute=manager orclConnectByStartingValue= "cn=Anne Smith,ou=MyOrganizationalUnit,o=MyCompany,c=US"
You can also develop an application specifying that you want the values for a particular attribute—for example, the email
attribute—of all the members.
See Also: Oracle Identity Management Application Developer's Guide for more information about how to develop applications that retrieve values for particular attributes |
Hierarchies can be either explicit or implicit.
In explicit hierarchies, the relationship is determined by the location of the entry in the DIT—for example, Group A may reside higher in the DIT than Group B.
In implicit hierarchies, the relationship between entries is determined not by the location in the DIT, but by the values of certain attributes. For example, suppose that you have a DIT in which the entry for John Doe is at the same level of the hierarchy as Anne Smith. However, suppose that, in the entry for John Doe, the manager
attribute specifies Anne Smith as his manager. In this case, although their locations in the DIT are at an equal level, their rankings in the hierarchy are unequal because Anne Smith is specified as John Doe's manager.
Note: If you create a hierarchical group, be sure that it is truly hierarchical. For example, in a true hierarchy, Group A can be a member of Group B, but Group B cannot at the same time be a member of Group A. Because the latter relationship is cyclical, a search for the members of Group A fails.In a query based on an implicit hierarchy, the client can specify in the search request the control 2.16.840.1.113894.1.8.3. The filter in this query specifies the attribute used to build the implicit hierarchy. For example, For more information on controls used by Oracle Internet Directory, see "About LDAP Controls" in Oracle Identity Management User Reference. |
An application can query either kind of group to do the following:
List all members of a group
List all groups of which a user is a member
Check to see if a user is a member of a particular group
In addition, you can query dynamic groups, but not static ones, for whatever member attributes you specify.
When deliberating about which kind of group to use, you need to weigh the ease of administration against higher performance. For example, dynamic groups provide for easier administration, but cause a decrease in performance. Table 13-2 lists some things to consider when deliberating whether to use static or dynamic groups.
Table 13-2 Static and Dynamic Group Considerations
Consideration | Static Groups | Dynamic Groups |
---|---|---|
Ease of administration |
More difficult to administer if group memberships are large and change frequently |
Easier to use, especially when group memberships are large and change frequently |
Performance |
Higher level of performance because you explicitly administer the membership list |
Decreased level of performance because memberships are computed on the fly |
Size of footprint in the directory |
Larger footprint depending on the size of group memberships |
Small footprint regardless of size of group memberships |
This section contains these topics:
Managing Static Group Entries by Using Oracle Directory Manager
Managing Dynamic Groups by Using Command-Line Tools
Note: If you are creating a hierarchy of groups, be sure that it is a true hierarchy as described in "Hierarchies". |
See Also:
|
You can use Oracle Directory Manager to both create and modify static group entries.
If the entry belongs to the groupOfNames
object class, then you determine membership in the group by adding DNs to the multivalued attribute member
. If the entry belongs to the groupOfUniqueNames
object class, then you determine membership in the group by adding DNs to the multivalued attribute uniqueMember
.
To add a static group entry:
Expand in succession Oracle Internet Directory Servers and directory server instance.
Select Entry Management.
On the toolbar, choose Create. The New Entry dialog box appears.
In the Distinguished Name field, type the full DN. You may also use Browse to locate the DN of the parent for the entry you want to add, then type the RDN for the new entry, followed by a comma, to the left of that parent DN.
To specify the object classes you want to use for the new entry, to the right of the Object Classes box, choose Add. The Super Class Selector dialog box appears.
Enter the mandatory and optional attributes for your group entry.
If you selected the groupOfNames
object class, a Browse button appears next to some of the fields, for example, the member field on the Mandatory Properties tab page. To enter a mandatory property by browsing:
Choose Browse. The Directory: Entry Management dialog box appears.
Use this dialog box to search for a particular entry you want to add to the list.
In the Distinguished Name window of the Directory: Entry Management dialog box, select the entry, then choose OK. This returns you to the New Entry dialog box. The entry you just selected is added to the list in the members window.
Choose OK.
To modify the member list for a group entry:
Perform a search for the group entry you want to modify.
In the right pane, in the Distinguished Name box, select the group entry you want to modify.
Choose Edit.
In the Entry dialog box, scroll to the text area for the member
attribute and modify the value.
Choose OK.
This section provides examples of how you create and modify static group entries.
The syntax for the LDIF file is:
dn: DN_of_group_entry objectclass: top objectclass: [groupOfNames] [groupOfUniqueNames] member: DN of member 1 member: DN of member 2 . . . member: DN of member N
The following command adds this LDIF file to the directory:
ldapadd -p port_number -h host -f file_name.ldif
Example: Creating a Static Group Entry by Using ldapadd The following example shows an LDIF file named myStaticGroup.ldif
for the entry for a group named MyStaticGroup:
dn: cn=myStaticGroup,c=us objectclass: top objectclass: groupOfNames member: cn=John Doe member: cn=Anne Smith
The following command adds this LDIF file to the directory:
ldapadd -p 389 -h myhost -f myStaticGroup.ldif
To add a member to a group, the syntax of the LDIF file is:
dn: DN_of_group_entry changetype: modify add:member member:DN of member entry
To delete a member from a group, the syntax of the LDIF file is:
dn: DN of group entry changetype: modify delete:member member:DN of member entry
Issue this command to modify the file:
ldapmodify -p 389 -v -f file_name.ldif
where -v specifies verbose mode.
Example: Modifying a Static Group by Using ldapmodify The following example adds John Doe to a group named MyStaticGroup. As in the previous example, the data for this user entry is in the myStaticGroup.ldif
file. This file contains the following:
dn: cn=myStaticGroup,c=us changetype: modify add:member member: cn=John Doe
Issue this command to modify the file:
ldapmodify -p 389 -v -f myStaticGroup.ldif
where -v specifies verbose mode.
Note: When you add or modify an entry, the Oracle directory server does not verify the existence of the entry. However, if the attribute value must contain a DN, then the directory server verifies that the DN is specified. |
This section provides examples of the two kinds of dynamic group entries.
The following is an example of a dynamic group entry using the labeledURI
attribute.
dn: cn=dgroup1 cn: dgroup1 description: this is an example of a dynamic group labeleduri:ldap://hostname:7777/ou=oid,l=amer,dc=oracle, dc=dgrptest??sub?objectclass=person objectclass: orcldynamicgroup objectclass: groupOfUniqueNames objectclass: top
This group will have uniquemember
values that are the DNs of all entries associated with the object class person
in the subtree ou=oid,l=amer,dc=oracle,dc=dgrptest
.
The following is an example of a dynamic group entry that uses the CONNECTBY assertion.
dn: cn=dgroup2 cn: dgroup21 description: this is connect by manager assertion dynamic group orclconnectbyassertionbase: l=amer,dc=oracle,dc=dgrptest orclconnectbyattribute: manager orclconnectbystartingvalue: cn=john doe sr. objectclass: orcldynamicgroup objectclass: groupOfUniqueNames objectclass: top
This dynamic group has unique members with values that are DNs of all the entries whose manager
attribute is cn=john doe sr
. either indirectly or directly. If several individuals have cn=john doe JR
. as their manager, and he, in turn, has cn=john doe SR.
as his manager, then all the lower-level individuals are returned.
You can use Oracle Directory Manager to both create and modify static group entries.
If the entry belongs to the groupOfNames
object class, then you determine membership in the group by adding DNs to the multivalued attribute member
. If the entry belongs to the groupOfUniqueNames
object class, then you determine membership in the group by adding DNs to the multivalued attribute uniqueMember
.
To add a dynamic group entry:
Expand Oracle Internet Directory Servers, then directory server instance.
Select Entry Management.
On the toolbar, choose Create. The New Entry dialog box appears.
In the Distinguished Name field, type the full DN. You may also use Browse to locate the DN of the parent for the entry you want to add, then type the RDN for the new entry, followed by a comma, to the left of that parent DN.
To specify the object classes you want to use for the new entry, to the right of the Object Classes box, choose Add. The Super Class Selector dialog box appears.
Enter the mandatory and optional attributes for your group entries.
If you are using the labeledURI
method for dynamically computing membership in the group, you must set the labeledURI
attribute, but not the orclConnectByAttribute
and orclConnectByStartingValue
attributes. In the Optional Properties tab page, in the labeledURI
field, specify the following:
ldap:ldap_URL
For example:
ldap://my_host/ou=MyNeworganizationalUnit, o=MyCompany,c=US??sub?(objectclass=person)
If you are using the CONNECT BY
method for dynamically computing membership in the group, you must set the orclConnectByAttribute
and orclConnectByStartingValue
attributes, but not the labeledURI
attribute. In the orclConnectByAttribute
field, specify the attribute that you want to use as the filter for the query—for example, manager
. In the orclConnectByStartingValue
field, specify the DN of the attribute you specified in the orclConnectByAttribute
attribute—for example, cn=Anne Smith
.
For information about specifying the other attributes that appear in the Optional Properties tab page, see "User and Group Schema Elements" in Oracle Identity Management User Reference.
If you selected the groupOfNames
object class, a Browse button appears next to some of the fields, for example, the member field on the Mandatory Properties tab page. If you choose Browse, the Directory: Entry Management dialog box appears. Use this dialog box to search for a particular entry you want to add to the list. Then, in the Distinguished Name window of the Directory: Entry Management dialog box, select the entry and choose OK. This returns you to the New Entry dialog box. The entry you just selected is added to the list in the members window.
Choose OK.
To modify the member list for a dynamic group entry:
Perform a search for the group entry you want to modify.
In the right pane, in the Distinguished Name box, select the group entry you want to modify.
Choose Edit.
In the Entry dialog box, scroll to the text area for the member
attribute and modify the value.
Choose OK.
This section tells you how to create and modify dynamic groups by using command-line tools.
If you use the labeledURI
attribute, then the syntax for the LDIF file is:
dn: DN_of_group_entry objectclass: top objectclass: [groupOfNames] [groupOfUniqueNames] objectclass: orcldynamicgroup labeledURI:ldap:ldap_URL member: DN of member 1 member: DN of member 2 . . . member: DN of member N
The following command adds this LDIF file to the directory:
ldapadd -p port_number -h host -f file_name.ldif
If you use the CONNECT BY
string, then the syntax for the LDIF file is:
dn: DN_of_group_entry objectclass: top objectclass: [groupOfNames] [groupOfUniqueNames] objectclass: orclDynamicGroup orclConnectByAttribute:attribute_name orclConnectByStartingValue:DN_of_attribute member: DN of member 1
When specifying entries in this syntax, do not use double quotes around distinguished names.
The following example shows an LDIF file for the entry for a dynamic group:
dn: cn=myDynamicGroup,c=us objectclass: top objectclass: groupOfNames objectclass: orcldynamicgroup labeledURI:ldap://my_host/ou=MyNeworganizationalUnit, o=MyCompany,c=US??sub?(objectclass=person) member: cn=John Doe member: cn=Anne Smith
The following command adds this LDIF file to the directory:
ldapadd -p 389 -h myhost -f myDynamicGroup.ldif
To change the organizational unit of the group created in the previous example, the syntax of the LDIF file is:
dn: DN_of_group_entry
changetype: modify
replace:labeledURI
labeledURI:ldap://my_host/
ou=MyNeworganizationalUnit,o=MyCompany,c=US??sub?(objectclass=person)
Note: When you add or modify an entry, the Oracle directory server does not verify the syntax of the attribute values in the entry. |