Dynamic Groups (Sun Java System Web Server 7.0 Update 2 Administrator's Guide)

Sun Java System Web Server 7.0 Update 2 Administrator's Guide

Dynamic Groups

A dynamic group has an objectclass of groupOfURLs, and has zero or more memberURL attributes, each of which is a LDAP URL that describes a set of objects.

For LDAP services, Web Server enables you to create a dynamic group when you want to group users automatically based on any attribute, or when you want to apply ACLs to specific groups which contain matching DNs. For example, you can create a group that automatically includes any DN that contains the attribute department=marketing. If you apply a search filter for department=marketing, the search returns a group including all DNs containing the attribute department=marketing. You can then define a dynamic group from the search results based on this filter. Subsequently, you can define an ACL for the resulting dynamic group.

How Web Server Implements Dynamic Groups

Web Server implements dynamic groups in the LDAP server schema as objectclass = groupOfURLs. A groupOfURLS class can have multiple memberURL attributes, each one consisting of an LDAP URL that enumerates a set of objects in the directory. The members of the group would be the union of these sets. For example, the following group contains just one member URL:

ldap:///o=mcom.com??sub?(department=marketing)

This example describes a set that consists of all objects below "o=mcom.com" whose department is "marketing." The LDAP URL can contain a search base DN, a scope and filter, however, not a hostname and port. This means that you can only refer to objects on the same LDAP server. All scopes are supported.

The DNs are included automatically, without your having to add each individual to the group. The group changes dynamically, because Web Server performs an LDAP server search each time a group lookup is needed for ACL verification. The user and group names used in the ACL file correspond to the cn attribute of the objects in the LDAP database.

Note –

Web Server uses the cn (commonName) attribute as group name for ACLs.

The mapping from an ACL to an LDAP database is defined both in the dbswitch.conf configuration file (which associates the ACL database names with actual LDAP database URLs) and the ACL file (which defines which databases are to be used for which ACL). For example, if you want base access rights on membership in a group named "staff," the ACL code looks up an object that has an object class of groupOf<anything> and a CN set to "staff." The object defines the members of the group, either by explicitly enumerating the member DNs (as is done for groupOfUniqueNames for static groups), or by specifying LDAP URLs (for example, groupOfURLs).

Groups Can Be Static and Dynamic

A group object can have both objectclass = groupOfUniqueMembers and objectclass = groupOfURLs; therefore, both "uniqueMember" and "memberURL" attributes are valid. The group’s membership is the union of its static and dynamic members.

Dynamic Group Impact on Server Performance

There is a server performance impact when using dynamic groups. If you are testing group membership, and the DN is not a member of a static group, Web Server checks all dynamic groups in the database’s baseDN. Web Server accomplishes this task by checking if each memberURL matches by checking its baseDN and scope against the DN of the user, and then performing a base search using the user DN as baseDN and the filter of the memberURL. This procedure can amount to a large number of individual searches.

Guidelines for Creating Dynamic Groups

Consider the following guidelines when using the Administration Server to create new dynamic groups:

Dynamic groups cannot contain other groups.
Enter the group’s LDAP URL using the following format (without host and port info, since these parameters are ignored):
```
ldap:///<basedn>?<attributes>?<scope>?<(filter)>
```
The required parameters are described in the following table:

Table 8–1 Dynamic Groups: Required Parameters


Parameter Name	Description
`<base_dn>`	The Distinguished Name (DN) of the search base, or point from which all searches are performed in the LDAP directory. This parameter is often set to the suffix or root of the directory, such as "`o=mcom.com`".
`<attributes>`	A list of the attributes to be returned by the search. To specify more than one, use commas to delimit the attributes (for example, "`cn,mail,telephoneNumber`"); if no attributes are specified, all attributes are returned. Note that this parameter is ignored for dynamic group membership checks.
`<scope>`	The scope of the search, which can be one of these values: `base` retrieves information only about the distinguished name `(<base_dn>)` specified in the URL. `one` retrieves information about entries one level below the distinguished name `(<base_dn>)` specified in the URL. The base entry is not included in this scope. `sub` retrieves information about entries at all levels below the distinguished name `(<base_dn>)` specified in the URL. The base entry is included in this scope. This parameter is required.
`<(filter)>`	Search filter to apply to entries within the specified scope of the search. If you are using the Administration Server forms, you must specify this attribute. Note that the parentheses are required. This parameter is required.

Note that the <attributes>, <scope>, and <(filter)> parameters are identified by their positions in the URL. If you do not want to specify any attributes, you still need to include the question marks delimiting that field.

You can optionally also add a description for the new group.
If any organizational units have been defined for your directory, you can specify where you want the new group to be placed using the Add New Group To list. The default location is your directory’s root point, or topmost entry.