A group is an object that describes a set of objects in an LDAP database. A Sun Java System server group consists of users who share a common attribute. For instance, the set of objects might be a number of employees who work in the Marketing division of your company. These employees might belong to a group called Marketing.
For LDAP services, the two ways to define the membership of a group are statically and dynamically. Static groups enumerate their member objects explicitly. A static group is a common name (CN) and contains uniqueMembers or memberURLs or memberCertDescriptions. For static groups, the members do not share a common attribute except for the cn=groupname attribute.
Dynamic groups enable you to use an LDAP URL to define a set of rules that match only for group members. For dynamic groups, the members do share a common attribute or set of attributes that are defined in the memberURL filter. For example, if you need a group that contains all employees in Sales, and those employees are already in the LDAP database under ou=Sales,o=Airius.com, you would define a dynamic group with the following member URL:
ldap:///ou=Sales,o=sun??sub?(uid=*)
This group would subsequently contain all objects that have a uid attribute in the tree below the ou=Sales,o=sun point.
For static and dynamic groups, members can share a common attribute from a certificate if the memberCertDescription is used. This sharing of common attribute only applies if the ACL uses the SSL method.
Once a new group has been created, you can add users (members) to it.
This section contains the following topics:
For LDAP services, the Administration Server enables you to create a static group by specifying the same group attribute in the DNs of any number of users. A static group does not change unless a user is added to or deleted from the group.
Consider the following guidelines when using the Administration Server interface to create new static groups:
Static groups can contain other static or dynamic groups.
If organizational units are defined for your directory, specify where you want the new group to be placed using the Add New Group To list on the Create Group page in the Administration Server interface. The default location is your directory’s root point, the topmost entry.
For more information about editing groups, see Editing Group Entries.
Access the Administration Server and click the Users and Groups tab.
Click the Create Group link.
Select New Group from the Type of Group drop-down list, and then click Go.
Type the information on the Create Group page.
For more information about specific fields, see the online Help.
Click Create to create the group, or Create and Edit to create the group and display the edit page for the group just created.
For LDAP services, Proxy Server enables you to create a dynamic group when you want to group users automatically based on any attribute, or when you want to apply ACLs to specific groups that contain matching DNs. For example, you can create a group that automatically includes any DN that contains the attribute department=marketing. If you apply a search filter for department=marketing, the search returns a group including all DNs containing the attribute department=marketing. You can then define a dynamic group from the search results based on this filter. Subsequently, you can define an ACL for the resulting dynamic group.
Proxy Server implements dynamic groups in the LDAP server schema as objectclass=groupOfURLs. A groupOfURLs class can have zero or more memberURL attributes, each of which is an LDAP URL that describes a set of objects in the directory. The members of the group would be the union of these sets. For example, the following group contains just one member URL:
ldap:///o=mcom.com??sub?(department=marketing)
This example describes a set that consists of all objects below o=mcom.com whose department is marketing. The LDAP URL can contain a search base DN, a scope, and a filter, but not a host name and port. Therefore you can only refer to objects on the same LDAP server. All scopes are supported. For more information about LDAP URLs, see Guidelines for Creating Dynamic Groups.
The DNs are included automatically without having to add each individual to the group. The group changes dynamically because Proxy Server performs an LDAP server search each time a group lookup is needed for ACL verification. The user and group names used in the ACL file correspond to the cn attribute of the objects in the LDAP database.
Proxy Server uses the cn attribute as the group name for ACLs.
The mapping from an ACL to an LDAP database is defined both in the dbswitch.conf file (which associates the ACL database names with actual LDAP database URLs) and the ACL file (which defines which databases are to be used for which ACL). For example, if you want base access rights on membership in a group named staff, the ACL code looks up an object with an object class of groupOfanything and a CN set to staff. The object defines the members of the group, either by explicitly enumerating the member DNs (as is done for groupOfUniqueNames for static groups), or by specifying LDAP URLs (for example, groupOfURLs).
Groups can be both static and dynamic. A group object can have both objectclass=groupOfUniqueMembers and objectclass=groupOfURLs. Therefore, both uniqueMember and memberURL attributes are valid. The group’s membership is the union of its static and dynamic members.
Using dynamic groups affects server performance. If you are testing group membership and the DN is not a member of a static group, Proxy Server checks all dynamic groups in the database’s base DN. Proxy Server determines whether each memberURL matches by checking its base DN and scope against the DN of the user. Proxy Server then performs a base search using the user DN as the base DN and the filter of the memberURL. This procedure can involve a large number of individual searches.
Consider the following guidelines when using the Administration Server interface to create new dynamic groups:
Dynamic groups cannot contain other groups.
LDAP URLs use the following format without host and port info, as these parameters are ignored:
ldap:///base-dn?attributes?scope?(filter)
The attributes, scope, and (filter) parameters are identified by their positions in the URL. If you do not want to specify any attributes, you must still include the question marks (?) delimiting that field.
If organizational units are defined for your directory, specify where you want the new group to be placed using the Add New Group To list on the Create Group page in the Administration Server interface. The default location is your directory’s root point, the topmost entry.
For more information about editing groups, see Editing Group Entries.
The following table lists the required parameters for the LDAP URL.
Table 4–4 Required Parameters for the LDAP URL
Access the Administration Server and click the Users and Groups tab.
Click the Create Group link.
Select Dynamic Group from the Type of Group drop-down list and click Go.
Provide the information on the Create Group page.
For more information about specific fields, see the online Help.
Click Create to create the group, or Create and Edit to create the group and display the edit page for the group just created.