Oracle iPlanet Web Proxy Server 4.0.14 Administration Guide

Creating Groups

A group is an object that describes a set of objects in an LDAP database. An iPlanet server group consists of users who share a common attribute. For instance, the set of objects might be a number of employees who work in the Marketing division of your company. These employees might belong to a group called Marketing.

For LDAP services, the two ways to define the membership of a group are statically and dynamically. Static groups enumerate their member objects explicitly. A static group is a common name (CN) and contains uniqueMembers or memberURLs or memberCertDescriptions. For static groups, the members do not share a common attribute except for the cn=groupname attribute.

Dynamic groups enable you to use an LDAP URL to define a set of rules that match only for group members. For dynamic groups, the members do share a common attribute or set of attributes that are defined in the memberURL filter. For example, if you need a group that contains all employees in Sales, and those employees are already in the LDAP database under ou=Sales,o=Airius.com, you would define a dynamic group with the following member URL:

ldap:///ou=Sales,o=sun??sub?(uid=*)

This group would subsequently contain all objects that have a uid attribute in the tree below the ou=Sales,o=sun point.

For static and dynamic groups, members can share a common attribute from a certificate if the memberCertDescription is used. This sharing of common attribute only applies if the ACL uses the SSL method.

Once a new group has been created, you can add users (members) to it.

This section contains the following topics:

About Static Groups

For LDAP services, the Administration Server enables you to create a static group by specifying the same group attribute in the DNs of any number of users. A static group does not change unless a user is added to or deleted from the group.

Guidelines for Creating Static Groups

Consider the following guidelines when using the Administration Server interface to create new static groups:

ProcedureTo Create Static Groups

  1. Access the Administration Server and click the Users and Groups tab.

  2. Click the Create Group link.

  3. Select New Group from the Type of Group drop-down list, and then click Go.

  4. Type the information on the Create Group page.

    For more information about specific fields, see the online Help.

  5. Click Create to create the group, or Create and Edit to create the group and display the edit page for the group just created.

About Dynamic Groups

For LDAP services, Proxy Server enables you to create a dynamic group when you want to group users automatically based on any attribute, or when you want to apply ACLs to specific groups that contain matching DNs. For example, you can create a group that automatically includes any DN that contains the attribute department=marketing. If you apply a search filter for department=marketing, the search returns a group including all DNs containing the attribute department=marketing. You can then define a dynamic group from the search results based on this filter. Subsequently, you can define an ACL for the resulting dynamic group.

How Dynamic Groups Are Implemented

Proxy Server implements dynamic groups in the LDAP server schema as objectclass=groupOfURLs. A groupOfURLs class can have zero or more memberURL attributes, each of which is an LDAP URL that describes a set of objects in the directory. The members of the group would be the union of these sets. For example, the following group contains just one member URL:

ldap:///o=mcom.com??sub?(department=marketing)

This example describes a set that consists of all objects below o=mcom.com whose department is marketing. The LDAP URL can contain a search base DN, a scope, and a filter, but not a host name and port. Therefore you can only refer to objects on the same LDAP server. All scopes are supported. For more information about LDAP URLs, see Guidelines for Creating Dynamic Groups.

The DNs are included automatically without having to add each individual to the group. The group changes dynamically because Proxy Server performs an LDAP server search each time a group lookup is needed for ACL verification. The user and group names used in the ACL file correspond to the cn attribute of the objects in the LDAP database.


Note –

Proxy Server uses the cn attribute as the group name for ACLs.


The mapping from an ACL to an LDAP database is defined both in the dbswitch.conf file (which associates the ACL database names with actual LDAP database URLs) and the ACL file (which defines which databases are to be used for which ACL). For example, if you want base access rights on membership in a group named staff, the ACL code looks up an object with an object class of groupOfanything and a CN set to staff. The object defines the members of the group, either by explicitly enumerating the member DNs (as is done for groupOfUniqueNames for static groups), or by specifying LDAP URLs (for example, groupOfURLs).


Note –

Groups can be both static and dynamic. A group object can have both objectclass=groupOfUniqueMembers and objectclass=groupOfURLs. Therefore, both uniqueMember and memberURL attributes are valid. The group’s membership is the union of its static and dynamic members.


Dynamic Group Impact on Server Performance

Using dynamic groups affects server performance. If you are testing group membership and the DN is not a member of a static group, Proxy Server checks all dynamic groups in the database’s base DN. Proxy Server determines whether each memberURL matches by checking its base DN and scope against the DN of the user. Proxy Server then performs a base search using the user DN as the base DN and the filter of the memberURL. This procedure can involve a large number of individual searches.

Guidelines for Creating Dynamic Groups

Consider the following guidelines when using the Administration Server interface to create new dynamic groups:

The attributes, scope, and (filter) parameters are identified by their positions in the URL. If you do not want to specify any attributes, you must still include the question marks (?) delimiting that field.

For more information about editing groups, see Editing Group Entries.

The following table lists the required parameters for the LDAP URL.

Table 4–4 Required Parameters for the LDAP URL

Parameter Name  

Description  

base_dn

The DN of the search base, or point from which all searches are performed in the LDAP directory. This parameter is often set to the suffix or root of the directory, such as o=mcom.com.

attributes

A list of attributes to be returned by the search. To specify more than one, use commas to delimit the attributes (for example, cn,mail,telephoneNumber). If no attributes are specified, all attributes are returned. This parameter is ignored for dynamic group membership checks.

scope

This parameter is required. 

The scope of the search, which can be one of these values: 

  • base retrieves information only about the distinguished name (base_dn) specified in the URL.

  • one retrieves information about entries one level below the distinguished name (base_dn) specified in the URL. The base entry is not included in this scope.

  • sub retrieves information about entries at all levels below the distinguished name (base_dn) specified in the URL. The base entry is included in this scope.

(filter)

This parameter is required. 

The Search filter to apply to entries within the specified scope of the search. If you are using the Administration Server interface, you must specify this attribute. The parentheses are required. 

Creating Dynamic Groups

ProcedureTo Create Dynamic Groups

  1. Access the Administration Server and click the Users and Groups tab.

  2. Click the Create Group link.

  3. Select Dynamic Group from the Type of Group drop-down list and click Go.

  4. Provide the information on the Create Group page.

    For more information about specific fields, see the online Help.

  5. Click Create to create the group, or Create and Edit to create the group and display the edit page for the group just created.