1. Administering Oracle Internet Directory
  2. Basic Administration
  3. Managing Dynamic and Static Groups in Oracle Internet Directory

14 Managing Dynamic and Static Groups in Oracle Internet Directory

You can manage both static and dynamic groups in Oracle Internet Directory using Oracle Directory Services Manager (ODSM) and LDAP command-line utilities.

14.1 Understanding Dynamic and Static Groups

Oracle Internet Directory enables you to assign and manage membership in two types of groups—namely, static groups and dynamic groups. Each type of group suited for a different purpose.

Note:

If you are creating a hierarchy of groups, be sure that it is a true hierarchy as described in About Hierarchies of Group Entries.

See Also:

This section contains these topics:

14.1.1 Defining Static Groups

Contextual description of static groups and the schema elements required to a create a static group.

14.1.1.1 Static Group

A static group is one whose entry contains a list of members that you explicitly administer.

A static group requires you to explicitly administer its membership. For example, if a member changes his name, then you must change that user's DN for each group he belongs to. For this reason, a static group is best suited for a group whose membership is unlikely to change frequently.

14.1.1.2 Schema Elements for Creating a Static Group

When you create the entry for this kind of group, you associate it with either the groupOfNames or groupOfUniqueNames object class.

Each of these object classes has a multivalued attribute for storing the names of group members. To assign a user as a member of a group, you add the DN of each member to the respective multivalued attribute. Conversely, to remove a member from a group, you delete the member's DN from the respective attribute. In the groupOfNames object class, this multivalued attribute is member, and, in the groupOfUniqueNames object class, it is uniqueMember.

14.1.2 Defining Dynamic Groups

Contextual description of dynamic group and the schema elements is required to create a dynamic group.

14.1.2.1 Dynamic Group

A dynamic group is one whose membership, rather than being maintained in a list, is computed, based on rules and assertions you specify. Oracle Internet Directory supports the following methods for dynamically computing the membership of the group:

  • Using orclDynamicGroup object class and labeleduri attribute

  • Using orclDynamicGroup object class and CONNECT_BY attributes

  • Using orclDynamicList object class and labeleduri attribute (referred as dynamic list)

Dynamic groups can have static and dynamic members. The static members are listed as values of the member or uniquemember attribute.

14.1.2.2 Cached and Uncached Dynamic Groups

Dynamic groups can be cached or uncached. By cached, we mean that dynamic group members are computed and stored when the dynamic group is added, and that the member list is kept consistent when the dynamic group is later modified. As entries are added, modified, deleted, and renamed, the member lists of all dynamic groups are kept consistent. For example, if there is a dynamic group containing all person entries under "c=us", when we add "cn=user1,c=us", that entry is automatically added to the member list of the dynamic group. Similarly, when we delete "cn=user1,c=us", the entry is removed from the dynamic group's member list. This feature ensures that whenever a search is performed for a dynamic group, the member list can be fetched from the stored data without any additional computation. The search performance for cached dynamic groups is almost the same as for static groups.

Cached Dynamic Group

Starting with Oracle Internet Directory 10g (10.1.4.0.1), dynamic groups based on orclDynamicGroup object class using labeleduri attribute are cached.

Uncached Dynamic Group

  • Dynamic groups based on orclDynamicGroup object class using CONNECT_BY attributes are not cached.

  • Since Oracle Internet Directory 11g Release 1 (11.1.1.4.0), a second type of dynamic group based on labeleduri attribute is available. It is referred to as a dynamic list, and its members are not cached. You determine whether a dynamic group based on the labeleduri attribute is cached or uncached by selecting the type of auxiliary object class your group is associated with, as described in Schema Elements for Creating a Dynamic Group. If you want a cached group, associate your group with the auxiliary object class orclDynamicGroup. If you want an uncached group, associate your group with the auxiliary object class or orclDynamicList object class.

Note:

  • You cannot add a dynamic group based on the labeledURI attribute with scope base. Only scope sub and one are supported.

  • To refresh dynamic group memberships for dynamic groups using the orclDynamicGroup object class and labeleduri attribute, set the attribute orclrefreshdgrmems in the DSA Configuration entry to 1. Oracle Internet Directory recomputes the member lists for all dynamic groups and resets the value of orclrefreshdgrmems to 0. If there are many groups, this operation can take a long time to complete.

  • When you query for the groups that a user belongs to, dynamic groups based on the labeledURI attribute are automatically included in the result. Dynamic groups based on the CONNECT_BY assertion and dynamic lists must be explicitly queried. For example, assume nc=jdoe,cn=users,o=oracle is a member of three groups: labeleduri dynamic group dgrouplab1, CONNECT BY dynamic group dgroupcby1, and dynamic list dlist1. The search uniquemember=cn=jdoe,cn=users,o=oracle finds only the cached labeleduri dynamic group dgrouplab1.

See Also:

14.1.2.3 Enhancements of Dynamic Groups in Oracle Internet Directory

In Oracle Internet Directory 10g (10.1.4.1) and later releases, you can use dynamic groups in the same ways you use static groups. For example, you can use them in:

  • Access control lists, by associating the group with either the orclACPgroup or the orclPrivilegeGroup object class.

  • Hierarchical group resolution queries

14.1.2.4 Limitations of Dynamic Groups in Oracle Internet Directory

Dynamic groups have the following limitations in Oracle Internet Directory:

14.1.2.5 Schema Elements for Creating a Dynamic Group

When you create a dynamic group, you begin as when creating a static group—that is, you associate its entry with either the groupOfNames or groupOfUniqueNames object class. You then associate that object class with the auxiliary object class orclDynamicGroup or orclDynamicList.

The auxiliary object class orclDynamicGroup has various attributes in which you specify one of two methods for dynamically computing the membership of the group: using the labeledURI attribute and using a CONNECT BY assertion. The auxiliary object class orclDynamicList supports only the labeledURI attribute method of computing membership.

14.1.2.6 About labeledURI Attribute

Both of the auxiliary object classes orclDynamicGroup and orclDynamicList have the labeledURI attribute. If you associate your group with orclDynamicGroup and use the labeledURI attribute to compute membership, the group is cached. If you associate your group with orclDynamicList and use the labeledURI attribute to compute membership, the group is not cached. This uncached type, using orclDynamicList objectclass, is referred to as a dynamic list.

When using the labeledURI method, the directory server performs a typical search based on the hierarchy of the DIT. It requires you to provide a value for one of the attributes of the orclDynamicGroup or orclDynamicList object class, namely labeledURI. In this attribute, you specify the base of the query, the filters, and any required attributes. For example, suppose that you have entered the following value for the labeledURI attribute: 

labeledURI:ldap://host:port/ou=NewUnit,o=MyCompany,c=US??sub?(objectclass=person)

When you use this method, a search for the entry returns entries for all members of the group.

Do not set orclConnectByAttribute or orclConnectByStartingValue when using the labeledURI attribute method.

Note:

In the labeledURI attribute, the host:port section is present for syntax purposes alone. Irrespective of the host and port settings in the labeledURI attribute, the directory server always computes members of dynamic group from the local directory server. It cannot retrieve members from other directory servers.

See Also:

"The LDAP URL Format" (RFC 2255). T. Howes, M. Smith, December 1997. This RFC provides more information about how LDAP URLs are to be represented—as, for example, in the labeledURI attribute. It is available at http://www.ietf.org.

14.1.2.7 About CONNECT BY Assertion

Unlike the labeledURI attribute method, this method relies not on the hierarchy of the DIT, but on attributes that implicitly connect entries to each other, regardless of their location in the DIT. For example, the manager attribute connects the entries of employees with those of their managers, and this connection applies regardless of the location of the employee entries in the DIT. This method uses a CONNECT BY clause in which you specify the attribute to use for building the hierarchy—for example, manager—and the starting value for such a hierarchy—for example, cn=Anne Smith,cn=users,dc=example,dc=com.

See Also:

Performing Hierarchical Searches in Application Developer's Guide for Oracle Identity Management.

More specifically, to use this method, you specify in the orclDynamicGroup object class a value for each of the single-valued attributes in Table 14-1.

Table 14-1 orclDynamicGroup Attributes for "Connect By" Assertions

Attribute Description

orclConnectByAttribute

The attribute that you want to use as the filter for the query—for example, manager. This attributed must be indexed.

orclConnectByStartingValue

The DN of the attribute you specified in the orclConnectByAttribute attribute—for example, cn=Anne Smith,cn=users,dc=example,dc=com

For example, to retrieve the entries of all employees who report to Anne Smith in the MyOrganizational Unit in the Americas, you would provide values for these attributes as follows:

orclConnectByAttribute=manager
orclConnectByStartingValue= "cn=Anne Smith,ou=MyOrganizationalUnit,o=MyCompany,c=US"

Do not set labeledURI when using the CONNECT BY assertion method.

You can also develop an application specifying that you want the values for a particular attribute—for example, the email attribute—of all the members.

See Also:

Developing Applications for Oracle Identity Management in Application Developer's Guide for Oracle Identity Management for more information about how to develop applications that retrieve values for particular attributes.

14.1.2.8 Example of a Dynamic Group Entry Using the labeledURI Attribute

The following is an example of a dynamic group entry using the labeledURI attribute. 

dn: cn=dgroup1
cn: dgroup1
description: this is an example of a dynamic group
labeleduri:ldap://hostname:7777/ou=oid,l=amer,dc=oracle,
 dc=dgrptest??sub?objectclass=person
objectclass: orcldynamicgroup
objectclass: groupOfUniqueNames
objectclass: top

This group will have uniquemember values that are the DNs of all entries associated with the object class person in the subtree ou=oid,l=amer,dc=oracle,dc=dgrptest.

14.1.2.9 Example of a Dynamic List Entry Using the labeledURI Attribute

The following is an example of a dynamic list entry using the labeledURI attribute. (Dynamic lists are not cached.) It is the same as the previous example, except that the auxiliary object class is orclDynamicList instead of orclDynamicGroup

dn: cn=dgroup1
cn: dgroup1
description: this is an example of a dynamic group
labeleduri:ldap://hostname:7777/ou=oid,l=amer,dc=oracle,
 dc=dgrptest??sub?objectclass=person
objectclass: orcldynamiclist
objectclass: groupOfUniqueNames
objectclass: top

This group will have uniquemember values that are the DNs of all entries associated with the object class person in the subtree ou=oid,l=amer,dc=oracle,dc=dgrptest. Searches for the uniquemember attribute, however, will not pick up dynamic lists

14.1.2.10 Example of a Dynamic Group Entry Using the CONNECT BY Assertion

The following is an example of a dynamic group entry that uses the CONNECT_BY assertion.

dn: cn=dgroup2
cn: dgroup2
description: this is connect by manager assertion dynamic group
orclconnectbyattribute: manager
orclconnectbystartingvalue: cn=john doe sr,l=amer,dc=oracle,dc=dgrptest
objectclass: orcldynamicgroup
objectclass: groupOfUniqueNames
objectclass: top

This dynamic group has unique members with values that are DNs of all the entries whose manager attribute is cn=john doe sr. either indirectly or directly. If several individuals have cn=john doe JR. as their manager, and he, in turn, has cn=john doe SR. as his manager, then all the lower-level individuals are returned.

14.1.3 About Hierarchies of Group Entries

Hierarchies can be either explicit or implicit. In explicit hierarchies, the relationship is determined by the location of the entry in the DIT—for example, Group A may reside higher in the DIT than Group B.

In implicit hierarchies, the relationship between entries is determined not by the location in the DIT, but by the values of certain attributes. For example, suppose that you have a DIT in which the entry for John Doe is at the same level of the hierarchy as Anne Smith. However, suppose that, in the entry for John Doe, the manager attribute specifies Anne Smith as his manager. In this case, although their locations in the DIT are at an equal level, their rankings in the hierarchy are unequal because Anne Smith is specified as John Doe's manager.

Note:

In a query based on an implicit hierarchy, the client can specify in the search request the control 2.16.840.1.113894.1.8.3. The filter in this query specifies the attribute used to build the implicit hierarchy. For example, (manager=cn=john doe, o=foo) specifies the query for all people reporting directly or indirectly to John Doe. The implicit hierarchy is based on the manager attribute. The base of the search is ignored for such queries.

For more information on controls used by Oracle Internet Directory, see About LDAP Controls in Reference for Oracle Identity Management.

See Also:

Overview of Oracle Internet Directory C API in Application Developer's Guide for Oracle Identity Management.

14.1.4 About Querying Group Entries

An application query list the members of the group and list of all groups.

An application can query either kind of group to do the following:

  • List all members of a group

  • List all groups of which a user is a member

  • Check to see if a user is a member of a particular group

In addition, you can query dynamic groups, but not static ones, for whatever member attributes you specify.

Note:

The GSL_REQDATTR_CONTROL entry under LDAP Controls in Reference for Oracle Identity Management.

14.1.5 Understanding the orclMemberOf Attribute

orclMemberOf is a multivalued attribute containing the groups to which the entry belongs.

The following topics provide a conceptual description of the orclMemberOf attribute and also describe how to use this attribute in search filters:

14.1.5.1 About orclMemberOf Attribute

orclMemberOf is a multivalued attribute containing the groups to which the entry belongs. The groups in orclMemberOf include static groups and labeleduri-based dynamic groups. CONNECT BY assertion-based dynamic groups and dynamic lists are not included. The membership includes both direct groups and nested groups.

For example, suppose Mary is a member of the static group directors and the group directors is a member of the static group managers. If you do a specific query for the attribute orclMemberOf on Mary's DN, the values will contain both managers and directors.

The attribute values are computed during search and are not stored. orclMemberOf is not returned in a search unless explicitly requested by name.

As of Oracle Internet Directory 11g Release 1 (11.1.1.7.0), orclMemberOf can be used in search filters. Using orclmemberof is very useful with complex filters. Previously, the best way to find users belonging to multiple groups was to perform multiple search queries to fetch the data and then use client side application logic to compute the results. Now that orclmemberof can be used in search filters, you can do this with a single search query. Some of the examples include such queries.

orclMemberOf has the aliases memberof and ismemberof for compatibility with Active Directory and Oracle Directory Server Enterprise Edition (formerly Sun Java System Directory Server and SunONE iPlanet). These aliases can be used interchangeably and all of the search queries can be also be done using these two aliases instead of orclmemberof.

Note:

The attribute orclMemberOf is a virtual attribute, so it cannot be used for the following purposes:

  • In the LDAP filter part of the labeleduri attribute for creating dynamic groups or dynamic lists.

  • In a filter to be processed in memory using orclinmemfiltprocess. For information about orclinmemfiltprocess, see Optimizing Performance of Complex Search Filters in Tuning Performance.

14.1.5.2 Examples of Using the orclMemberOf Attribute

The following examples show how to use the orclMemberOf attribute in various search scenarios:

  • Search single user:

    ldapsearch -h host -p 3060 -D binddn -q -b "cn=jdoe,cn=users,o=oracle" -s base "(objectclass=*)" orclmemberof

  • Search with memberof alias: 

    ldapsearch -h host -p 3060 -D binddn -q -b "cn=jdoe,cn=users,o=oracle" -s base "(objectclass=*)" memberof

  • Get all attributes and orclmemberof: 

    ldapsearch -h host -p 3060 -D binddn -q -b "cn=jdoe,cn=users,o=oracle" -s base "(objectclass=*)" orclmemberof  *

  • Search multiple users:

    ldapsearch -h host -p 3060 -D binddn -q -b "cn=users,o=oracle" -s sub "(objectclass=person)" orclmemberof

  • Use in search filters:

    • To determine whether user John Doe is member of the HR employees group, perform a base search against that user with a filter that checks if orclmemberof has the HR employees group. 

      ldapsearch -h localhost -p 3060 -D binddn -q -b "cn=johndoe,cn=users,o=oracle" -s base "(orclmemberof=cn=hr,cn=groups,o=oracle)" dn

    • To find all the users who are member of the HR employees group, perform a subtree search against user container for all entries with orclmemberof containing the HR employees group. 

      ldapsearch -h localhost -p 3060 -D binddn -q -b "cn=users,o=oracle" -s sub "(orclmemberof=cn=hr,cn=groups,o=oracle)" dn

    • To find the users who are member of multiple groups, use a filter that combines multiple orclmemberof conditions with AND. This provides the intersection of the two group memberships. The following search finds users who are members of both HR employees and Managers group. 

      ldapsearch -h localhost -p 3060 -D binddn -q -b "cn=users,o=oracle" -s sub "(&(orclmemberof=cn=hr,cn=groups,o=oracle)(orclmemberof=cn=managers,cn=groups,o=oracle))" dn

    • To find the users who are member of either HR employees or Managers group, use a filter that combines multiple orclmemberof conditions with OR. This provides the union of the two group memberships. You can use this method for three or more groups as well. 

      ldapsearch -h localhost -p 3060 -D binddn -q -b "cn=users,o=oracle" -s sub "(|(orclmemberof=cn=hr,cn=groups,o=oracle)(orclmemberof=cn=managers,cn=groups,o=oracle))" dn

    • To determine all employees who belong to HR group, have the location California, and have the title HR Administrator, use the following query: 

      ldapsearch -h localhost -p 3060 -D binddn -q -b "cn=users,o=oracle" -s sub "(&(orclmemberof=cn=hr,cn=groups,o=oracle)(l=ca)(title=HR Administrator))" dn

    • The following example uses the memberof alias in a search filter instead of orclmemberof: 

      ldapsearch -h localhost -p 3060 -D binddn -q -b "cn=users,o=oracle" -s sub "(memberof=cn=hr,cn=groups,o=oracle)" dn

Note:

Managing Alias Entries.

14.1.6 Considerations for Using Static and Dynamic Group

When deliberating about which kind of group to use, you must weigh the ease of administration against higher performance. For example, dynamic groups provide for easier administration, but cause a decrease in performance.

Table 14-2 lists some things to consider when deliberating whether to use static or dynamic groups.

Table 14-2 Static and Dynamic Group Considerations

Consideration Static Groups Dynamic Groups

Ease of administration

More difficult to administer if group memberships are large and change frequently

Easier to use, especially when group memberships are large and change frequently

Search Performance

Higher level of performance because you explicitly administer the membership list

Slightly decreased level of performance with dynamic groups using labeleduri, but almost same when compared to static groups, because memberships are cached. Decrease in performance with uncached groups, when compared to static groups and cached dynamic groups because memberships are computed as needed.

14.2 Managing Group Entries by Using Oracle Directory Services Manager

You can manage static and dynamic group entries by using the Data Browser page in Oracle Directory Services Manager.

You can display group entries, search for groups, and view groups using the procedures described in Managing Entries by Using Oracle Directory Services Manager. The procedures for creating and modifying groups are described in this section. This section contains the following topics:

14.2.1 Creating Static Group Entries by Using Oracle Directory Services Manager

If the static group entry belongs to the groupOfNames object class, then you determine membership in the group by adding DNs to the multivalued attribute member. If the entry belongs to the groupOfUniqueNames object class, then you determine membership in the group by adding DNs to the multivalued attribute uniqueMember.

To add a static group entry:

  1. Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in Invoking Oracle Directory Services Manager.
  2. From the task selection bar, select Data Browser.
  3. On the toolbar, choose the Create a new entry icon. Alternatively, right click any entry and choose Create.

    You can, alternatively, select a group that is similar to the one you want to create, then choose the Create a new entry like this one icon. Alternatively, right click any entry and choose Create.

    The Create New Entry wizard appears.

  4. Specify the object classes for the new entry. Click the Add icon and use the Add Object Class dialog to select either groupOfNames or groupOfUniqueNames. (All the superclasses from this object class through top are also added.)

    Click OK.

  5. In the Parent of the entry field, you can specify the full DN of the parent entry of the entry you are creating. You can also click Browse to locate and select the DN of the parent for the entry you want to add, then click Select.

    If you leave the Parent of the entry field blank, the entry is created under the root entry.

  6. Click Next.
  7. Choose an attribute which will be the Relative Distinguished Name value for this entry and enter a value for that attribute. You must enter a value for the cn attribute, even if it is not the RDN value.
  8. Click Next. The next page of the wizard appears. (Alternatively, you can click Back to return to the previous page.)
  9. Click Finish.

14.2.2 Adding an Owner or Member to a Static Group Entry

You can add an owner to or member to a static group entry.

Perform the following steps to add an owner or member to a static group entry:

  1. Navigate to the group entry you just created in Creating Static Group Entries by Using Oracle Directory Services Manager.

  2. Select the Group tab.

  3. To add a member to the group:

    1. Click the Add icon next to the Members text box.

    2. Select the entry you want to add as a member (usually a user or group entry) in the Select Distinguished Name Path dialog.

    3. Click OK.

  4. To add an owner to the group:

    1. Click the Add icon next to the Owners text box.

    2. Select the entry you want to add as an owner (usually a user or group entry) in the Select Distinguished Name Path dialog.

    3. Click OK.

  5. Click Apply to save your changes or Revert to discard them.

14.2.3 Modifying an Attribute of a Static Group Entry

You can modify an attribute of a static group entry such as member list.

Perform the steps to modify an attribute, such as the member list, for a group entry:

  1. Navigate to the group entry you just created in Creating Static Group Entries by Using Oracle Directory Services Manager.

  2. Select the Attributes tab.

  3. By default, only non-empty attributes are shown. You can switch between Managed Attributes and Show All by using the Views list.

  4. To change the list of attributes shown as managed attributes:

    1. Click the icon under Optional Attributes.

    2. Select attributes you want to move from the All Attributes list to the Shown Attributes lists and use the Move and Move All arrows to move the attributes.

      Select attributes you want to move from the shown Attributes list to the All Attributes lists and use the Remove and Remove All arrows to move the attributes.

    3. Click Add Attributes to make your changes take effect or click Cancel to discard your changes. After you click Add Attributes, only the attributes that were on the Shown Attributes list are shown in the Managed Attributes view.

  5. Specify values for the optional properties. You can also modify the values of the mandatory properties. For multivalued attributes, you can use the Add and Delete icons to add and delete multiple values.

  6. Click Apply to save your changes or Revert to discard them.

    You can set an access control point (ACP) on this entry by using the Subtree Access and Local Access tabs. The procedures are described in Adding or Modifying an ACP by Using the Data Browser in ODSM and Setting or Modifying Entry-Level Access by Using the Data Browser in ODSM.

    See Also:

14.2.4 Creating Dynamic Group Entries by Using Oracle Directory Services Manager

Dynamic groups can have static and dynamic members. The static members are listed as values of the member or uniquemember attribute. If the dynamic group entry belongs to the groupOfNames object class, then add static members to the group by adding DNs to the multivalued attribute member.

If the dynamic group entry belongs to the groupOfUniqueNames object class, then add static members to the group by adding DNs to the multivalued attribute uniqueMember.

For dynamic groups, you must also set attributes to specify how the group membership is computed. You must choose either the labeledURI or the CONNECT BY method for dynamically computing membership in the group. You cannot use both methods. If you are using the labeledURI method, you must set the labeledURI attribute, but not the orclConnectByAttribute and orclConnectByStartingValue attributes. If you are using the CONNECT BY method, you must set the orclConnectByAttribute and orclConnectByStartingValue attributes, but not the labeledURI attribute.

To add a dynamic group entry:

  1. Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in Invoking Oracle Directory Services Manager.
  2. From the task selection bar, select Data Browser.
  3. On the toolbar, choose Create a new entry. The Create New Entry wizard appears.
  4. Specify the object classes for the new entry. Select at least the following object class entries.

    • Either groupOfNames or groupOfUniqueNames

    • orclDynamicGroup or orclDynamicList

    Use orclDynamicGroup for a cached dynamic group based on labeledURI or a dynamic group based on CONNECT BY. Use orclDynamicList for an uncached dynamic list based on labeledURI.

    Click the Add icon and use the Add Object Class dialog to select object class entries. Optionally, use the search box to filter the list of object classes. To add the object class, select it and then click OK. (All the superclasses from this object class through top are also added.)

  5. In the Parent of the entry field, you can specify the full DN of the parent entry of the entry you are creating. You can also click Browse to locate the DN of the parent for the entry you want to add, then click Select.

    If you leave the Parent of the entry field blank, the entry is created under the root entry.

  6. Click Next.
  7. Choose an attribute which will be the Relative Distinguished Name value for this entry and enter a value for that attribute. You must enter a value for the cn attribute, even if it is not the RDN value.
  8. Click Next. The next page of the wizard appears. (Alternatively, you can click Back to return to the previous page.)
  9. Click Finish.

14.2.5 Adding an Owner or Member to a Dynamic Group Entry

You can add an owner or member to a dynamic group entry.

To add an owner or member to a dynamic group entry:

  1. Navigate to the group entry you just created in Creating Dynamic Group Entries by Using Oracle Directory Services Manager. (You might have to click the Refresh icon to see the new entry).

  2. Select the Group tab.

  3. To add an owner to the group:

    1. Click the Add icon next to the Owner box.

    2. Select the entry you want to add as owner (usually a user or group entry) in the Select Distinguished Name Path dialog.

    3. Click OK.

  4. To add a member to the group:

    1. Click the Add icon next to the Members text box.

    2. Select the entry you want to add as a member (usually a user or group entry) in the Select Distinguished Name Path dialog.

    3. Click OK.

  5. Choose Apply to apply your changes or choose Revert to abandon your changes.

14.2.6 Modifying an Attribute of a Dynamic Group Entry

You can modify an attribute for a dynamic group entry by using either CONNECT BY or labeledURI method for dynamically computing membership in the group.

To modify an attribute for a dynamic group entry:

  1. Navigate to the group entry you just created in Creating Dynamic Group Entries by Using Oracle Directory Services Manager. (You might have to click the Refresh icon to see the new entry).

  2. Select the Attributes tab.

  3. You can switch between Managed Attributes and Show All by using the Views list.

  4. To change the list of attributes shown as managed attributes:

    1. Click the icon under Optional Attributes.

    2. Select attributes you want to move from the All Attributes list to the Shown Attributes lists and use the Move and Move All arrows to move the attributes.

      Select attributes you want to move from the shown Attributes list to the All Attributes lists and use the Remove and Remove All arrows to move the attributes.

    3. Click Add Attributes to make your changes take effect or click Cancel to discard your changes. After you click Add Attributes, only the attributes that were on the Shown Attributes list are shown in the Managed Attributes view.

  5. If you are using the labeledURI method for dynamically computing membership in the group, you must set the labeledURI attribute, but not the orclConnectByAttribute and orclConnectByStartingValue attributes. In the Attributes tab page, in the labeledURI field, specify the following: 

    ldap:ldap_URL

    For example:

    ldap://my_host:3000/ou=MyNeworganizationalUnit,
 o=MyCompany,c=US??sub?(objectclass=person)

    If you are using the CONNECT BY method for dynamically computing membership in the group, you must set the orclConnectByAttribute and orclConnectByStartingValue attributes, but not the labeledURI attribute. In the orclConnectByAttribute field, specify the attribute that you want to use as the filter for the query—for example, manager. In the orclConnectByStartingValue field, specify the DN of the attribute you specified in the orclConnectByAttribute attribute—for example, cn=Anne Smith.

    For information about specifying the other attributes that appear in the Attributes tab page, see User and Group Schema Elements in Reference for Oracle Identity Management.

  6. Click Apply to save your changes or Revert to discard them.

14.2.7 Modifying a Dynamic Group Entry by Using Oracle Directory Services Manager

Remember that you must choose either the labeledURI or the CONNECT BY method for dynamically computing membership in the group. You cannot use both methods. If you are using the labeledURI method, you must set the labeledURI attribute, but not the orclConnectByAttribute and orclConnectByStartingValue attributes. If you are using the CONNECT BY method, you must set the orclConnectByAttribute and orclConnectByStartingValue attributes, but not the labeledURI attribute.

You can add static members to a dynamic group, but you are not required to do so.

You can set an access control point (ACP) on this entry by using the Subtree Access and Local Access tabs. The procedures are described in Adding or Modifying an ACP by Using the Data Browser in ODSM and Setting or Modifying Entry-Level Access by Using the Data Browser in ODSM.

See Also:

14.3 Managing Group Entries by Using the Command Line

You can manage static and dynamic groups from the command line by using LDAP tools.

This section contains the following topics:

Note:

  • When you create a group, specifying members is optional and is shown here for the sake of completeness.

  • It is uncommon to have dynamic groups with static membership.

14.3.1 Creating a Static Group Entry by Using ldapadd

ldapadd is used to create a static group entry.

The syntax for the LDIF file is:

dn: DN_of_group_entry
objectclass: top
objectclass: groupOfNames | groupOfUniqueNames
member: DN of member 1
member: DN of member 2
.
.
.
member: DN of member N

The following command adds the group and members in this LDIF file to the directory:

ldapadd -p port_number -h host -D cn=orcladmin -q -f file_name.ldif

The following example shows an LDIF file named myStaticGroup.ldif for the entry for a group named MyStaticGroup: 

dn: cn=myStaticGroup,c=us
objectclass: top
objectclass: groupOfNames
member: cn=John Doe
member: cn=Anne Smith

The following command adds the group and members in this LDIF file to the directory:

ldapadd -p 3060 -h myhost -D cn=orcladmin -q -f myStaticGroup.ldif

14.3.2 Modifying a Static Group by Using ldapmodify

ldapmodify is used to modify a static group.

To add a member to a group, the syntax of the LDIF file is:

dn: DN_of_group_entry
changetype: modify
add: member
member: DN of member entry

To delete a member from a group, the syntax of the LDIF file is:

dn: DN of group entry
changetype: modify
delete:member
member:DN of member entry

Issue this command to modify the file:

ldapmodify -D "cn=orcladmin" -q -p 3060 -v -f file_name.ldif

where -v specifies verbose mode.

The following example adds John Doe to a group named MyStaticGroup. As in the previous example, the data for this user entry is in the myStaticGroup.ldif file. This file contains the following: 

dn: cn=myStaticGroup,c=us
changetype: modify
add:member
member: cn=John Doe

Issue this command to modify the file:

ldapmodify -D "cn=orcladmin" -q -p 3060 -v -f myStaticGroup.ldif

where -v specifies verbose mode.

Note:

When you add or modify an entry, the Oracle directory server does not verify the existence of the entry. However, if the attribute value must contain a DN, then the directory server verifies that the DN is specified.

14.3.3 Creating a Dynamic Group Entry by Using ldapadd

You can use ldapadd to create a dynamic group from the command line.

The following topics describe how to create a dynamic group using labeledURI attribute and CONNECT BY String:

14.3.3.1 Creating a Cached Dynamic Group Using labeledURI Attribute

If you use the labeledURI attribute to create a cached dynamic group, then the syntax for the LDIF file is: 

dn: DN_of_group_entry
objectclass: top
objectclass: groupOfNames | groupOfUniqueNames
objectclass: orcldynamicgroup
labeledURI:ldap:ldap_URL
member: DN of member 1
member: DN of member 2
.
.
.
member: DN of member N

Use the following command to add the group and members in this LDIF file to the directory:

ldapadd -p port_number -h host -f file_name.ldif
14.3.3.2 Creating an Uncached Dynamic List Using labeledURI Attribute

If you use the labeledURI attribute to create an uncached dynamic list, then the syntax for the LDIF file is: 

dn: DN_of_group_entry
objectclass: top
objectclass: groupOfNames | groupOfUniqueNames
objectclass: orcldynamiclist
labeledURI:ldap:ldap_URL
member: DN of member 1
member: DN of member 2
.
.
.
member: DN of member N

Use the same command as in the previous example to add the group and members in this LDIF file to the directory:

ldapadd -p port_number -h host -f file_name.ldif
14.3.3.3 Creating a Dynamic Group Using CONNECT BY String

If you use the CONNECT BY string, then the syntax for the LDIF file is: 

dn: DN_of_group_entry
objectclass: top
objectclass: groupOfNames | groupOfUniqueNames
objectclass: orclDynamicGroup
orclConnectByAttribute:attribute_name
orclConnectByStartingValue:DN_of_attribute
member: DN of member 1
member: DN of member 2
.
.
.
member: DN of member N

When specifying entries in this syntax, do not use double quotes around distinguished names.

The following example shows an LDIF file for the entry for a dynamic group:

dn: cn=myDynamicGroup,c=us
objectclass: top
objectclass: groupOfNames
objectclass: orcldynamicgroup
labeledURI:ldap://my_host:3000/ou=MyNeworganizationalUnit,
 o=MyCompany,c=US??sub?(objectclass=person)
member: cn=John Doe
member: cn=Anne Smith

The following command adds this LDIF file to the directory:

ldapadd -p 3060 -h myhost -f myDynamicGroup.ldif

14.3.4 Modifying a Dynamic Group by Using ldapmodify

ldapmodify command is used to modify a dynamic group.

To change the organizational unit of the group created in the previous example, the syntax of the LDIF file is:

dn: DN_of_group_entry
changetype: modify
replace:labeledURI
labeledURI:ldap://my_host:3000/
 ou=MyNeworganizationalUnit,o=MyCompany,c=US??sub?(objectclass=person)

Note:

When you add or modify an entry, the Oracle directory server does not verify the syntax of the attribute values in the entry.