Skip Navigation Links | |
Exit Print View | |
![]() |
Oracle Directory Server Enterprise Edition Administration Guide 11g Release 1 (11.1.1.5.0) |
Part I Directory Server Administration
2. Directory Server Instances and Suffixes
3. Directory Server Configuration
6. Directory Server Access Control
7. Directory Server Password Policy
8. Directory Server Backup and Restore
9. Directory Server Groups, Roles, and CoS
About Groups, Roles, and Class of Service
Managing Roles From the Command Line
Example of a Managed Role Definition
Example of a Filtered Role Definition
Example of a Nested Role Definition
Protecting the CoS Definition Entry
Protecting the CoS Template Entries
Protecting the Target Entries of a CoS
Managing CoS From the Command Line
Creating the CoS Definition Entry From the Command Line
Creating the CoS Template Entry From the Command Line
Creating Role-Based Attributes
Maintaining Referential Integrity
How Referential Integrity Works
To Configure the Referential Integrity Plug-In
10. Directory Server Replication
13. Directory Server Attribute Value Uniqueness
15. Directory Server Monitoring
Part II Directory Proxy Server Administration
16. Directory Proxy Server Tools
17. Directory Proxy Server Instances
19. Directory Proxy Server Certificates
20. Directory Proxy Server Load Balancing and Client Affinity
21. Directory Proxy Server Distribution
22. Directory Proxy Server Virtualization
23. Virtual Data Transformations
24. Connections Between Directory Proxy Server and Back-End LDAP Servers
25. Connections Between Clients and Directory Proxy Server
26. Directory Proxy Server Client Authentication
27. Directory Proxy Server Logging
28. Directory Proxy Server Monitoring and Alerts
Part III Directory Service Control Center Administration
Groups enable you to associate entries for ease of administration. For example, using groups makes it easier to define access control instructions (ACIs). Group definitions are special entries that either name their members in a static list or provide a filter that defines a dynamic set of entries.
The scope of possible members of a group is the entire directory, regardless of where the group definition entries are located. To simplify administration, all group definition entries are usually stored in a single location, usually ou=Groups under the root suffix.
The two types of groups are static groups and dynamic groups.
Static groups. The entry that defines a static group inherits from either the groupOfNames or groupOfUniqueNames object class. Group members are listed by their DN as multiple values of the member or uniqueMember attribute.
Alternatively, you can use the isMemberOf attribute for static groups. The isMemberOf attribute is calculated and added to the user entry at the start of the search. It is then removed again after the search has finished. This functionality provides easy management of groups, and fast read access.
Dynamic groups. The entry that defines a dynamic group inherits from the groupOfURLs object class. Group membership is defined by one or more filters that are specified in the multivalued memberURL attribute. The members in a dynamic group are the entries that match any one of the filters whenever the filters are evaluated.
You cannot use DSCC to perform this task. Use the command line, as described in this procedure.
For example, to create a new static group called System Administrators and to add some members, you could use this command:
$ ldapmodify -a -h host1 -p 1389 -D cn=admin,cn=Administrators,cn=config -w - dn: cn=System Administrators, ou=Groups, dc=example,dc=com changetype: add cn: System Administrators objectclass: top objectclass: groupOfNames ou: Groups member: uid=kvaughan, ou=People, dc=example,dc=com member: uid=rdaugherty, ou=People, dc=example,dc=com member: uid=hmiller, ou=People, dc=example,dc=com
For example, to check that Kirsten Vaughan is in the new System Administrators group, type:
$ ldapsearch -b "dc=example,dc=com" uid=kvaughan isMemberOf uid=kvaughan,ou=People,dc=example,dc=com isMemberOf: cn=System Administrators, ou=Groups, dc=example,dc=com isMemberOf: cn=HR Managers,ou=groups,dc=example,dc=com
You cannot use DSCC to perform this task. Use the command line, as described in this procedure.
For example, to create a new dynamic group called “3rd Floor”, which includes all employees whose room numbers start with 3, you could use this command:
$ ldapmodify -a -h host1 -p 1389 -D cn=admin,cn=Administrators,cn=config -w - dn: cn=3rd Floor, ou=Groups, dc=example,dc=com changetype: add cn: 3rd Floor objectclass: top objectclass: groupOfUrls ou: Groups memberURL: ldap:///dc=example,dc=com??sub?(roomnumber=3*)