A group is an object that describes a set of objects in an LDAP database. A Sun Java System Web Server group consists of users who share a common attribute. For instance, the set of objects might be a number of employees who work in the marketing division of your company, hence belongs to a group called Marketing.
For LDAP services, there are two ways to define membership of a group: statically and dynamically. Static groups enumerate their member objects explicitly. A static group is a CN and contains uniqueMembers and/or memberURLs and/or memberCertDescriptions. For static groups, the members do not share a common attribute except for the CN=<Groupname> attribute.
Dynamic groups allow you to use a LDAP URL to define a set of rules that match only for group members. For Dynamic Groups, the members do share a common attribute or set of attributes that are defined in the memberURL filter. For example, if you need a group that contains all employees in Sales, and they are already in the LDAP database under
“ou=Sales,o=Airius.com,” you did define a dynamic group with the following memberurl:
ldap:///ou=Sales,o=sun??sub?(uid=*)
This group would subsequently contain all objects that have an uid attribute in the tree below the “ou=Sales,o=sun” point, thus all the Sales members.
For static and dynamic groups, members can share a common attribute from a certificate if you use the memberCertDescription. Note that these will only work if the ACL uses the SSL method.
Once you create a new group, you can add users, or members, to it.
This section includes the following topics:
For LDAP services, the Administration Server enables you to create a static group by specifying the same group attribute in the DNs of any number of users. A static group doesn’t change unless you add a user to it or delete a user from it.
Consider the following guidelines when using the Administration Server forms to create new static groups:
Static groups can contain other static or dynamic groups.
You can optionally add a description for the new group.
If any organizational units have been defined for your directory, you can specify where you want the new group to be placed using the Add New Group To list. The default location is your directory’s root point, or top-most entry.
When you are finished entering the desired information, click Create Group to add the group and immediately return to the New Group form. Alternatively, click Create and Edit Group to add the group and then proceed to the Edit Group form for the group you have just added. For information on editing groups, see Editing Group Attributes.
To create a static group entry, perform the following steps:
Access the Administration Server and choose the Users and Groups tab.
Click New Group.
Enter the required information and click OK.
For more information, see the New Group page in the online help.
A dynamic group has an objectclass of groupOfURLs, and has zero or more memberURL attributes, each of which is a LDAP URL that describes a set of objects.
For LDAP services, Sun Java System Web Server enables you to create a dynamic group when you want to group users automatically based on any attribute, or when you want to apply ACLs to specific groups that contain matching DNs. For example, you can create a group that automatically includes any DN that contains the attribute department=marketing. If you apply a search filter for department=marketing, the search returns a group including all DNs containing the attribute department=marketing. You can then define a dynamic group from the search results based on this filter. Subsequently, you can define an ACL for the resulting dynamic group.
This section includes the following topics:
Sun Java System Web Server implements dynamic groups in the LDAP server schema as objectclass = groupOfURLs. A groupOfURLS class can have multiple memberURL attributes, each one consisting of an LDAP URL that enumerates a set of objects in the directory. The members of the group would be the union of these sets. For example, the following group contains just one member URL:
ldap:///o=mcom.com??sub?(department=marketing)
This example describes a set that consists of all objects below "o=mcom.com" whose department is "marketing." The LDAP URL can contain a search base DN, a scope and filter, however, not a hostname and port. This means that you can only refer to objects on the same LDAP server. All scopes are supported.
The DNs are included automatically without having to add each individual to the group. The group changes dynamically, because Sun Java System Web Server performs an LDAP server search each time a group lookup is needed for ACL verification. The user and group names used in the ACL file correspond to the cn attribute of the objects in the LDAP database.
Sun Java System Web Server uses the cn (commonName) attribute as group name for ACLs.
The mapping from an ACL to an LDAP database is defined both in the dbswitch.conf configuration file (which associates the ACL database names with actual LDAP database URLs) and the ACL file (which defines which databases are to be used for which ACL). For example, if you want base access rights on membership in a group named "staff," the ACL code looks up an object that has an object class of groupOf<anything> and a CN set to "staff." The object defines the members of the group, either by explicitly enumerating the member DNs (as is done for groupOfUniqueNames for static groups), or by specifying LDAP URLs (for example, groupOfURLs).
A group object can have both objectclass = groupOfUniqueMembers and objectclass = groupOfURLs; therefore, both "uniqueMember" and "memberURL" attributes are valid. The group’s membership is the union of its static and dynamic members.
There is a server performance impact when using dynamic groups. If you are testing group membership, and the DN is not a member of a static group, Sun Java System Web Server checks all dynamic groups in the database’s baseDN. Sun Java System Web Server accomplishes this task by checking if each memberURL matches by checking its baseDN and scope against the DN of the user, and then performing a base search using the user DN as baseDN and the filter of the memberURL. This procedure can amount to a large number of individual searches.
Consider the following guidelines when using the Administration Server forms to create new dynamic groups:
Dynamic groups cannot contain other groups.
Enter the group’s LDAP URL using the following format (without host and port info, since these parameters are ignored):
ldap:///<basedn>?<attributes>?<scope>?<(filter)>
The required parameters are described in the following table:
The <attributes>, <scope>, and <(filter)> parameters are identified by their positions in the URL. If you do not want to specify any attributes, you still need to include the question marks delimiting that field.
You can optionally also add a description for the new group.
If any organizational units have been defined for your directory, you can specify where you want the new group to be placed using the Add New Group To list. The default location is your directory’s root point, or top-most entry.
When you are finish entering the desired information, click Create Group to add the group and immediately return to the New Group form. Alternatively, click Create and Edit Group to add the group and then proceed to the Edit Group form for the group you have just added. For information on editing groups, see Editing Group Attributes.