Skip Navigation Links | |
Exit Print View | |
Oracle Fusion Middleware Administration Guide for Oracle Unified Directory 11g Release 1 (11.1.1) |
1. Starting and Stopping the Server
2. Configuring the Server Instance
3. Configuring the Proxy Components
4. Configuring Security Between Clients and Servers
5. Configuring Security Between the Proxy and the Data Source
6. Managing Oracle Unified Directory With Oracle Directory Services Manager
10. Managing Users and Groups With dsconfig
Managing Root User, Global Administrator, and Administrator Accounts
Working With Multiple Root Users
Root Users and the Privilege Subsystem
Managing Root Users With dsconfig
To View the Default Root User Privileges
To Edit the Default Root User Privileges
To Change a Root User's Password
To Change a Root User's Privileges
Setting Root User Resource Limits
Managing Global Administrators
To Create an Administrator with Root User Privileges
To Change the Directory Manager's Password
To Reset and Generate a New Password for a User
Managing a User's Account Information
To View a User's Account Information
To View Account Status Information
Setting Resource Limits on a User Account
To Set Resource Limits on an Account
To Create a Static Group With groupOfNames
To Create a Static Group With groupOfUniqueNames
To Create a Static Group With groupOfEntries
To List All Members of a Static Group
To List All Static Groups of Which a User Is a Member
To Determine Whether a User is a Member of a Group
To List All Members of a Dynamic Group
To List All Dynamic Groups of Which a User Is a Member
To Determine Whether a User Is a Member of a Dynamic Group
Defining Virtual Static Groups
To Create a Virtual Static Group
To List All Members of a Virtual Static Group
To List All Virtual-Static Groups of Which a User Is a Member
To Determine Whether a User is a Member of a Virtual Static Group
Maintaining Referential Integrity
Overview of the Referential Integrity Plug-In
To Enable the Referential Integrity Plug-In
Simulating ODSEE Roles in an Oracle Unified Directory Server
To Determine Whether a User is a Member of a Role
To Alter Membership by Using the nsRoleDN Attribute
11. Managing Password Policies
The directory server supports groups, which are collections of entries that are manageable as a single object. Typically, directory administrators configure groups of printers, groups of software applications, groups of employees, and so forth. Groups are especially useful when assigning special access privileges to a set of users. For example, you can assign access managers the privileges to employee data while restricting those same privileges to others in the company.
The directory server supports the following group types:
Static groups. A static group defines its membership by providing explicit sets of distinguished names (DNs) using the groupOfNames, groupOfUniqueNames, or groupOfEntries object class. Statics groups are well supported by external clients and provide good performance.
A disadvantage of static groups is that as the group membership increases, the ability to easily manage the data becomes more difficult. For every entry that changes, all groups containing the changed entry must also be changed. This task becomes more difficult as the number of members of a group grows large. As a result, static groups are best used for relatively small groups that change infrequently.
For more info, see Defining Static Groups.
Dynamic groups. A dynamic group defines its membership using a set of search criteria in the form of an LDAP URL, using the groupOfUrls object class. Compared to static groups, dynamic groups handle large numbers of members well (millions of entries). As entries are updated, all parent groups are updated automatically.
A disadvantage of dynamic groups is that not all clients support them. Performance also is adversely affected if you need to query the whole list of entries. Thus, dynamic groups are best suited for groups with a very large number of entries or for clients that need to determine specific group membership for an entry.
For more info, see Defining Dynamic Groups.
Virtual static groups. A virtual static group appears and behaves like a static group to external clients, except that each member is represented by a virtual attribute that defines its membership on the fly from another dynamic group. Virtual static groups provide an efficient way to manage large numbers of entries and avoid the scalability issues for clients that only support static groups.
For more info, see Defining Virtual Static Groups.
A static group is one whose entry contains a membership list of explicit DNs. Many clients support static groups, but static groups are difficult to manage as the number of members in a group increases in size. For example, if you have a member entry that requires a DN change, then you must change the user's DN for each group she belongs to.
Because a static group contains a list of explicit member DNs, its database footprint increases as the membership list grows. For this reason, a static group is best suited for small groups (less than 10,000) whose entries do not change frequently. Using large static groups can have a detrimental impact on performance. If you know that group membership will exceed 10,000, consider using dynamic groups instead.
The directory server supports the following three types of static groups, divided according to the object class they use:
groupOfNames You can define a static group by using the groupOfNames object class and by explicitly specifying the member DNs using the member attribute.
Note - RFC 4519 requires that the member attribute be mandatory within the groupOfNames object class. This membership requirement has traditionally caused data management problems when an administrator attempted to delete the last member in the group. The directory server solves this problem by allowing the member attribute to be optional. The optional membership requirement allows you to have an empty object class when you delete the last member of the group.
dn: cn=Example Static Group 1,ou=Groups,dc=example,dc=com objectClass: top objectClass: groupOfNames member: uid=user1,ou=People,dc=example,dc=com member: uid=user2,ou=People,dc=example,dc=com cn: Example Static Group 1
groupOfUniqueNames You can define a static group by using the groupOfUniqueNames object class and by explicitly specifying the member DNs using the uniqueMember attribute. The groupOfUniqueNames object class differs from the groupOfNames object class in that you can enumerate the group's members by specifying a unique DN plus an optional identifier. The identifier ensures that the unique objects can be identified when adding, deleting, or renaming any object.
For example, you could delete or move an employee (cn=Tom Smith) and add a new employee who has the same name (cn=Tom Smith) to the directory. To distinguish the two, you must add a separate identifier by using a bit string. The following example shows two users with the same name, but the second uniqueMember has an optional identifier.
uniqueMember: uid=tsmith,ou=People,dc=example,dc=com uniqueMember: uid=tsmith,ou=People,dc=example,dc=com#'0111101'B
Note - Few LDAP applications actually use the optional UID identifier.
RFC 4519 requires that the uniqueMember attribute be mandatory within the groupOfUniqueNames object class. This membership requirement has historically caused data management problems when an administrator tried to delete the last member in the group. The directory server solves this problem by allowing the uniqueMember attribute to be optional. The optional membership requirement allows you to have an empty object class when you delete the last member of the group.
dn: cn=Example Static Group 2,ou=Groups,dc=example,dc=com objectClass: top objectClass: groupOfUniqueNames uniqueMember: uid=user1,ou=People,dc=example,dc=com uniqueMember: uid=user2,ou=People,dc=example,dc=com cn: Example Static Group 2
groupOfEntries You can define a static group using the groupOfEntries object class. Based on the original specifications ( RFC 4519 and draft-findlay-ldap-grouofentries-00.txt, which expired in March, 2008), the groupOfEntries object class differs from the groupOfNames and groupOfUniqueNames object classes in that attributes are optional. This allows you to specify an empty object class without any members.
Note - The directory server supports the groupOfEntries draft but also allows empty groupOfNames and groupOfUniqueNames object classes. As a result, you can create empty groups of any type (groupOfEntries, groupOfNames, and groupOfUniqueNames).
dn: cn=Example Static Group 3,ou=Groups,dc=example,dc=com objectClass: top objectClass: groupOfEntries cn: Example Static Group 3
This example shows an LDIF file, named static-group1.ldif, that defines the new group.
dn: cn=Directory Administrators,ou=Groups,dc=example,dc=com cn: Directory Administrators objectclass: top objectclass: groupOfNames ou: Groups member: uid=ttully,ou=People,dc=example,dc=com member: uid=charvey,ou=People,dc=example,dc=com member: uid=rfisher,ou=People,dc=example,dc=com
$ ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password \ --defaultAdd --filename static-group1.ldif Processing ADD request for cn=Directory Administrators,ou=Groups,dc=example,dc=com ADD operation successful for DN cn=Directory Administrators,ou=Groups,dc=example,dc=com
This example shows an LDIF file, named static-group2.ldif, that defines the new group.
dn: cn=Directory Administrators2,ou=Groups,dc=example,dc=com cn: Directory Administrators2 objectclass: top objectclass: groupOfUniqueNames ou: Groups uniquemember: uid=alangdon,ou=People,dc=example,dc=com uniquemember: uid=drose,ou=People,dc=example,dc=com uniquemember: uid=polfield,ou=People,dc=example,dc=com
$ ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password \ --defaultAdd --filename static-group2.ldif
$ ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password \ --baseDN dc=example,dc=com "(uid=rdaugherty)" isMemberOf dn: uid=alangdon,ou=People,dc=example,dc=com isMemberOf: cn=Directory Administrators2,ou=Groups,dc=example,dc=com
This example shows an LDIF file, named static-group3.ldif, that defines the new group.
dn: cn=Directory Administrators3,ou=Groups,dc=example,dc=com cn: Directory Administrators3 objectclass: top objectclass: groupOfEntries ou: Groups member: uid=bfrancis,ou=People,dc=example,dc=com member: uid=tjames,ou=People,dc=example,dc=com member: uid=bparker,ou=People,dc=example,dc=com
$ ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password \ --defaultAdd --filename static-group3.ldif
$ ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password \ --baseDN dc=example,dc=com "(uid=bparker)" isMemberOf dn: uid=bparker,ou=People,dc=example,dc=com isMemberOf: cn=Directory Administrators3,ou=Groups,dc=example,dc=com
You can use the isMemberOf virtual attribute to search for a group. The attribute is added to the user entry at the start of the search and then removed after the search has finished. This functionality provides easy management of groups with fast read access.
This example searches for all users who are members of the group “Accounting Managers”.
$ ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password \ -b dc=example,dc=com \ "(isMemberOf=cn=Accounting Managers,ou=Groups,dc=example,dc=com)" dn: uid=scarter,ou=People,dc=example,dc=com objectClass: person objectClass: inetOrgPerson objectClass: top objectClass: organizationalPerson ou: Accounting ou: People sn: Carter facsimiletelephonenumber: +1 408 555 9751 roomnumber: 4612 userpassword: {SSHA}3KiJ51sx2Ug7DxZoq0vA9ZY6uaomevbJUBm7OA== l: Sunnyvale cn: Sam Carter telephonenumber: +1 408 555 4798 givenname: Sam uid: scarter mail: scarter@example.com dn: uid=tmorris,ou=People,dc=example,dc=com objectClass: person objectClass: inetOrgPerson objectClass: top objectClass: organizationalPerson ou: Accounting ou: People sn: Morris facsimiletelephonenumber: +1 408 555 8473 roomnumber: 4117 userpassword: {SSHA}bjFFHv6k1kbI6fZoCEfqmTj9XOZxWR06gxpKpQ== l: Santa Clara cn: Ted Morris telephonenumber: +1 408 555 9187 givenname: Ted uid: tmorris mail: tmorris@example.com
$ ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password \ -b dc=example,dc=com "(uid=scarter)" isMemberOf dn: uid=scarter,ou=People,dc=example,dc=com isMemberOf: cn=Accounting Managers,ou=groups,dc=example,dc=com
$ ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password \ -b "cn=Account Managers,ou=Groups,dc=example,dc=com" \ "(&(objectclass=groupOfUniqueNames) \ (uniquemember=uid=scarter,ou=People,dc=example,dc=com))" dn: cn=Accounting Managers,ou=groups,dc=example,dc=com objectClass: groupOfUniqueNames objectClass: top ou: groups description: People who can manage accounting entries cn: Accounting Managers uniquemember: uid=scarter, ou=People, dc=example,dc=com uniquemember: uid=tmorris, ou=People, dc=example,dc=com
A dynamic group is one whose membership, rather than being maintained explicitly in a list, is determined by search criteria using an LDAP URL. For example, suppose that you want to send an email to all managers in the dc=example,dc=com naming context. To do this, you create a dynamic group in which you specify cn=Managers,ou=Groups,dc=example,dc=com. You further specify that you want only email addresses returned. When the email application queries the directory for that particular group, the directory server computes the membership dynamically and returns the corresponding list of email addresses.
Dynamic groups use the groupOfURLs object class and the memberURL attribute to define LDAP URLs with the criteria (search base, scope, and filter) to be used for determining members of the group. The mechanism for determining whether a user is a member of a dynamic group is a constant-time operation, so it is just as efficient for groups with millions of members as it is for a group with only a few members. However, care must be taken when specifying the search criteria as it can adversely affect performance if searching over a large set of data.
This example specifies the dynamic group for employees located at Cupertino.
dn: cn=cupertinoEmployees,ou=Groups,dc=example,dc=com cn: CupertinoEmployees objectclass: top objectclass: groupOfURLs ou: Groups memberURL: ldap:///ou=People,dc=example,dc=com??sub?(l=Cupertino)
$ ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password \ --defaultAdd --filename dynamic_group.ldif Processing ADD request for cn=cupertionEmployees,ou=Groups,dc=example,dc=com ADD operation successful for DN cn=cupertionEmployees,ou=Groups,dc=example,dc=com
This procedure illustrates the use of the virtual attribute isMemberOf. Do not use this procedure for very large groups, because it adversely affects the directory server's performance.
$ ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password \ -b "dc=example,dc=com" \ "(isMemberOf=cn=cupertinoEmployees,ou=Groups,dc=example,dc=com)" dn: uid=abergin,ou=People,dc=example,dc=com objectClass: person objectClass: inetOrgPerson objectClass: top objectClass: organizationalPerson ou: Product Testing ou: People sn: Bergin facsimiletelephonenumber: +1 408 555 7472 roomnumber: 3472 userpassword: {SSHA}YcDl0pHLxkd/ouW2jslAk1XaT5SiY4ium5qh8w== l: Cupertino cn: Andy Bergin telephonenumber: +1 408 555 8585 givenname: Andy uid: abergin mail: abergin@example.com ...(more entries)...
$ ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password \ -b dc=example,dc=com "(uid=abergin)" isMemberOf dn: uid=abergin,ou=People,dc=example,dc=com isMemberOf: cn=QA Managers,ou=groups,dc=example,dc=com isMemberOf: cn=cupertinoEmployees,ou=Groups,dc=example,dc=com
$ ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password \ -b dc=example,dc=com \ "(&(uid=abergin)(isMemberOf=cn=cupertinoEmployees,ou=Groups,dc=example,dc=com))" dn: uid=abergin,ou=People,dc=example,dc=com objectClass: person objectClass: inetOrgPerson objectClass: top objectClass: organizationalPerson ou: Product Testing ou: People sn: Bergin facsimiletelephonenumber: +1 408 555 7472 roomnumber: 3472 userpassword: {SSHA}YcDl0pHLxkd/ouW2jslAk1XaT5SiY4ium5qh8w== l: Cupertino cn: Andy Bergin telephonenumber: +1 408 555 8585 givenname: Andy uid: abergin mail: abergin@example.com
A virtual static group, efficiently manages scalability for clients that can only support static groups. In a virtual static group, each entry behaves like a static group entry by using virtual attributes. The virtual attributes are dynamically determined when invoked, and the operations that determine group membership are passed to another group, such as a dynamic group, as shown in the following diagram.
Virtual static groups should include either the groupOfNames or groupOfUniqueNames object class but should not include the member or uniqueMember attribute. Virtual static groups should also contain the ds-virtual-static-group auxiliary object class and the ds-target-group-dn attribute. The ds-target-group-dn attribute is used to reference the actual group to mirror as a virtual static group and is used in place of the member or uniquemember attribute. For example:
dn: cn=Example Virtual Static Group,ou=Groups,dc=example,dc=com objectClass: top objectClass: groupOfUniqueNames objectClass: ds-virtual-static-group cn: Example Virtual Static Group ds-target-group-dn: cn=Example Real Group,ou=Groups,dc=example,dc=com
Virtual static groups are most efficient when the application issues a search targeted at the membership attribute but does not actually retrieve the entire set of members. It is common for applications to use a filter such as the following to attempt to determine whether a user is a member of a given group:
(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=john.doe,\ ou=People,dc=example,dc=com))
For applications that retrieve the set of members, virtual static groups might not be ideal because the process of constructing the entire member list can be expensive.
This sample file, virtual-static.ldif, specifies a virtual static group named cupertinoEmployees.
dn: cn=virtualStatic,ou=Groups,dc=example,dc=com cn: Virtual Static objectclass: top objectclass: groupOfUniqueNames objectclass: ds-virtual-static-group ou: Groups ds-target-group-dn: cn=cupertinoEmployees,ou=Groups,dc=example,dc=com
$ ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password \ --defaultAdd --filename virtual-static.ldif Processing ADD request for cn=virtualStatic,ou=Groups,dc=example,dc=com ADD operation successful for DN cn=virtualStatic,ou=Groups,dc=example,dc=com
Virtual static groups are best used in cases where the search is targeted at the membership attribute. This procedure is therefore not recommended but is included to show how to access the list.
This example procedure uses the dynamic group, cupertinoEmployees, created in the previous example.
$ ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password \ -b dc=example,dc=com "(isMemberOf=cn=virtualStatic,ou=Groups,dc=example,dc=com)" dn: uid=abergin,ou=People,dc=example,dc=com objectClass: person objectClass: inetOrgPerson objectClass: top objectClass: organizationalPerson ou: Product Testing ou: People sn: Bergin facsimiletelephonenumber: +1 408 555 7472 roomnumber: 3472 userpassword: {SSHA}YcDl0pHLxkd/ouW2jslAk1XaT5SiY4ium5qh8w== l: Cupertino cn: Andy Bergin telephonenumber: +1 408 555 8585 givenname: Andy uid: abergin mail: abergin@example.com ...(more entries)...
$ ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password \ -b dc=example,dc=com "(uid=abergin)" isMemberOf dn: uid=abergin,ou=People,dc=example,dc=com isMemberOf: cn=QA Managers,ou=groups,dc=example,dc=com isMemberOf: cn=cupertinoEmployees,ou=Groups,dc=example,dc=com isMemberOf: cn=virtualStatic,ou=Groups,dc=example,dc=com
$ ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password \ -b "cn=virtualStatic,ou=Groups,dc=example,dc=com" \ "(&(objectclass=groupOfUniqueNames) \ (uniquemember=uid=abergin,ou=People,dc=example,dc=com))" dn: cn=virtualStatic,ou=Groups,dc=example,dc=com objectClass: groupOfUniqueNames objectClass: top objectClass: ds-virtual-static-group ou: Groups ds-target-group-dn: cn=cupertinoEmployees,ou=Groups,dc=example,dc=com cn: Virtual Static cn: virtualStatic
Groups can be nested, where one group is defined as a child group entry whose DN is listed within another group, its parent. The nesting of groups allows you to set up inherited group memberships when performance is not a priority. You can add zero or more member attributes with their values set to the DNs of nested child groups, including both static and dynamic groups.
This example procedure creates a nested group using one static group and one dynamic group.
This example file, static-group.ldif, specifies a virtual static group named Dev Contractors.
dn: cn=Contractors,ou=Groups,dc=example,dc=com cn: Dev Contractors objectclass: top objectclass: groupOfUniqueNames ou: Dev Contractors Static Group uniquemember: uid=wsmith,ou=Contractors,dc=example,dc=com uniquemember: uid=jstearn,ou=Contractors,dc=example,dc=com uniquemember: uid=pbrook,ou=Contractors,dc=example,dc=com uniquemember: uid=njohnson,ou=Contractors,dc=example,dc=com uniquemember: uid=sjones,ou=Contractors,dc=example,dc=com
$ ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password \ --defaultAdd --filename static-group.ldif
This example file, dynamic-group.ldif, specifies a dynamic group named Developers.
dn: cn=Developers,ou=Groups,dc=example,dc=com cn: Developers objectclass: top objectclass: groupOfURLs ou: Groups memberURL: ldap:///ou=People,dc=example,dc=com??sub?(ou=Product Development)
$ ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password \ --defaultAdd --filename dynamic-group.ldif
This example file, nested-group.ldif, specifies a nested group named Developers Group.
dn: cn=DevelopersGroup,ou=Groups,dc=example,dc=com cn: Developers Group objectclass: top objectclass: groupOfUniqueNames ou: Nested Static Group uniquemember: cn=Contractors,ou=Groups,dc=example,dc=com uniquemember: cn=Developers,ou=Groups,dc=example,dc=com
$ ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password \ --defaultAdd --filename nested-group.ldif