Directory Server, Version 6.1

---

 

Groups and roles

 

Groups

A group is a list, such as a collection of names. A group can be used in aclentry, ibm-filterAclEntry, and entryowner attributes to control access or in application-specific uses such as a mailing list; see Access control lists. Groups can be defined as either static, dynamic, or nested.

 

Static groups

A static group defines each member individually using the structural objectclass groupOfNames, groupOfUniqueNames, accessGroup, or accessRole; or the auxiliary objectclass ibm-staticgroup or ibm-globalAdminGroup. A static group using the structural objectclasses groupOfNames and groupOfUniqueNames require at least one member or uniqueMember, respectively.

The IBM® Tivoli® Directory Server enforces partial referential integrity for static groups. Referential integrity is a database concept that ensures relationships between tables remain consistent. When a static group is added into the directory, the members need not exist in the directory. However, when an object is deleted from the directory, all static groups that have this object as a member are updated automatically to remove this object from their lists of members. In addition, when an object is renamed in the directory, all static groups and nested groups that have this object as a member are updated automatically to rename this object in their lists of members.

Note:

This concept does not apply to dynamic groups because dynamic groups are search-based. The deletion of an object from the directory automatically causes it to be excluded from the search results.

A typical group entry is:

DN: cn=Dev.Staff,ou=Austin,c=US
objectclass: accessGroup
cn: Dev.Staff 
member: cn=John Doe,o=sample
member: cn=Jane Smith,o=sample
member: cn=James Smith,o=sample

Each group object contains a multivalued attribute consisting of member DNs.

Upon deletion of an access group, the access group is also deleted from all ACLs to which it has been applied.

 

Dynamic groups

A dynamic group defines its members differently than a static group. Instead of listing them individually, the dynamic group defines its members using an LDAP search. The dynamic group uses the structural objectclass groupOfURLs (or auxiliary objectclass ibm-dynamicGroup) and the attribute, memberURL to define the search using a simplified LDAP URL syntax.

 ldap:///<base DN of search> ? ? <scope of search> ? <searchfilter>

Note:

As the example illustrates, the host name must not be present in the syntax. The remaining parameters are just like normal ldap URL syntax. Each parameter field must be separated by a ?, even if no parameter is specified. Normally, a list of attributes to return would be included between the base DN and scope of the search. This parameter is also not used by the server when determining dynamic membership, and so may be omitted, however, the separator ? must still be present.

where:

base DN of search

Is the point from which the search begins in the directory. It can be the suffix or root of the directory such as ou=Austin. This parameter is required.

scope of search

Specifies the extent of the search. The default scope is sub.

base

Returns information only about the base DN specified in the URL

one

Returns information about entries one level below the base DN specified in the URL. It does not include the base entry.

sub

Returns information about entries at all levels below and includes the base DN.

searchfilter

Is the filter that you want to apply to the entries within the scope of the search. See the idsldapsearch command information in the IBM Tivoli Directory Server version 6.1 Command Reference for more information about the syntax of the searchfilter. The default is objectclass=*

The search for dynamic members is always internal to the server, so unlike a full ldap URL, a host name and port number is never specified, and the protocol is always ldap (never ldaps). The memberURL attribute may contain any kind of URL, but the server only uses memberURLs beginning with ldap:/// to determine dynamic membership.

 

Examples

A single entry in which the scope defaults to sub and the filter defaults to objectclass=*:

ldap:///cn=John Doe, cn=Employees, o=Acme, c=US

All entries that are one-level below cn=Employees, and the filter defaults to objectclass=*:

ldap:///cn=Employees, o=Acme, c=US??one

All entries that are under o=Acme with the objectclass=person:

ldap:///o=Acme, c=US??sub?objectclass=person

Depending on the object classes you use to define user entries, those entries might not contain attributes which are appropriate for determining group membership. We can use the auxiliary object class, ibm-dynamicMember, to extend your user entries to include the ibm-group attribute. This attribute allows you to add arbitrary values to your user entries to serve as targets for the filters of your dynamic groups. For example:

The members of this dynamic group are entries directly under the cn=users,ou=Austin entry that have an ibm-group attribute of GROUP1:

dn: cn=GROUP1,ou=Austin
 objectclass: groupOfURLs
 cn: GROUP1
 memberURL: ldap:///cn=users,ou=Austin??one?(ibm-group=GROUP1)

Here is an example member of cn=GROUP1,ou=Austin:

dn: cn=Group 1 member, cn=users, ou=austin
 objectclass: person
 objectclass: ibm-dynamicMember
 cn: Group 1 member
 sn: member
 userpassword: memberpassword
 ibm-group: GROUP1

 

Nested groups

The nesting of groups enables the creation of hierarchical relationships that can be used to define inherited group membership. A nested group is defined as a parent group entry that has members that are group entries. A nested group is created by extending one of the structural group object classes by adding the ibm-nestedGroup auxiliary object class. After nested group extension, zero or more ibm-memberGroup attributes may be added, with their values set to the DNs of nested child groups. For example:

dn: cn=Group 2, cn=Groups, o=sample
 objectclass: groupOfNames
 objectclass: ibm-nestedGroup
 objectclass: top
 cn: Group 2
 description: Group composed of static, and nested members. 
 member: cn=Person 2.1, cn=Dept 2, cn=Employees, o=sample
 member: cn=Person 2.2, cn=Dept 2, cn=Employees, o=sample
 ibm-memberGroup: cn=Group 8, cn=Nested Static, cn=Groups, o=sample

The introduction of cycles into the nested static group hierarchy is not allowed. If it is determined that a nested static group operation results in a cyclical reference, either directly or through inheritance, it is considered a constraint violation and therefore, the update to the entry fails.

 

Hybrid groups

Any of the structural group object classes mentioned can be extended such that group membership is described by a combination of static, dynamic, and nested member types. For example:

dn: cn=Group 10, cn=Groups, o=sample
 objectclass: groupOfURLs
 objectclass: ibm-nestedGroup
 objectclass: ibm-staticGroup 
 objectclass: top
 cn: Group 10
 description: Group composed of static, dynamic, and nested members.
 memberURL: ldap:///cn=Austin, cn=Employees, o=sample??one?objectClass=person
 ibm-memberGroup: cn=Group 9, cn=Nested Dynamic, cn=Groups, o=sample
 member: cn=Person 10.1, cn=Dept 2, cn=Employees, o=sample 
 member: cn=Person 10.2, cn=Dept 2, cn=Employees, o=sample

 

Determining group membership

Two operational attributes can be used to query aggregate group membership. For a given group entry, the ibm-allMembers operational attribute enumerates the aggregate set of group membership, including static, dynamic, and nested members, as described by the nested group hierarchy. For a given user entry, the ibm-allGroups operational attribute enumerates the aggregate set of groups, including ancestor groups, to which that user has membership.

Note:

The values for the ibm-allMembers and ibm-allGroups operational attributes are determined at runtime. For a large directory, this can mean long operation times.

A requester may only receive a subset of the total data requested, depending on how the ACLs have been set on the data. Anyone can request the ibm-allMembers and ibm-allGroups operational attributes, but the data set returned only contains data for the LDAP entries and attributes that the requester has access rights to. The user requesting the ibm-allMembers or ibm-allGroups attribute must have access to the member or uniquemember attribute values for the group and nested groups in order to see static members, and must be able to perform the searches specified in the memberURL attribute values in order to see dynamic members. For examples:

 

Hierarchy examples

For this example, m1 and m2 are in the member attribute of g2. The ACL for g2 allows user1 to read the member attribute, but user 2 does not have access to the member attribute. The entry LDIF for the g2 entry is as follows:

dn: cn=g2,cn=groups,o=sample
objectclass: accessGroup
cn: g2
member: cn=m1,cn=users,o=sample
member: cn=m2,cn=users,o=sample
aclentry: access-id:cn=user1,cn=users,o=sample:normal:rsc
aclentry: access-id:cn=user2,cn=users,o=sample:normal:rsc:at.member:deny:rsc

The g4 entry uses the default aclentry, which allows both user1 and user2 to read its member attribute. The LDIF for the g4 entry is as follows:

dn: cn=g4, cn=groups,o=sample
objectclass: accessGroup
cn: g4
member: cn=m5, cn=users,o=sample

The g5 entry is a dynamic group, which gets its two members from the memberURL attribute. The LDIF for the g5 entry is as follows:

dn: cn=g5, cn=groups,o=sample
objectclass: container
objectclass: ibm-dynamicGroup
cn: g5
memberURL: ldap:///cn=users,o=sample??sub?(|(cn=m3)(cn=m4))

The entries m3 and m4 are members of group g5 because they match the memberURL. The ACL for the m3 entry allows both user1 and user2 to search for it. The ACL for the m4 entries doesn't allow user2 to search for it. The LDIF for m4 is as follows:

dn: cn=m3, cn=users,o=sample
objectclass:person
cn: m3
sn: three
aclentry: access-id:cn=user1,cn=users,o=sample:normal:rsc
aclentry: access-id:cn=user2,cn=users,o=sample:normal:rsc

dn: cn=m4, cn=users,o=sample
objectclass:person
cn: m4
sn: four
aclentry: access-id:cn=user1,cn=users,o=sample:normal:rsc
aclentry: access-id:cn=user2,cn=users,o=sample

Example 1:

User 1 does a search to get all the members of group g1. User 1 has access to all members, so they are all returned.

idsldapsearch -D cn=user1,cn=users,o=sample -w user1pwd -s base -b cn=g1,
           cn=groups,o=sample objectclass=* ibm-allmembers


cn=g1,cn=groups,o=sample
ibm-allmembers: CN=M1,CN=USERS,o=sample
ibm-allmembers: CN=M2,CN=USERS,o=sample
ibm-allmembers: CN=M3,CN=USERS,o=sample
ibm-allmembers: CN=M4,CN=USERS,o=sample
ibm-allmembers: CN=M5,CN=USERS,o=sample

Example 2:

User 2 does a search to get all the members of group g1. User 2 does not have access to members m1 or m2 because they do not have access to the member attribute for group g2. User 2 has access to the member attribute for g4 and therefore has access to member m5. User 2 can perform the search in the group g5 memberURL for entry m3, so that member are listed, but cannot perform the search for m4.

idsldapsearch -D cn=user2,cn=users,o=sample -w user2pwd -s base -b cn=g1,
           cn=groups,o=sample objectclass=* ibm-allmembers


cn=g1,cn=groups,o=sample
ibm-allmembers: CN=M3,CN=USERS,o=sample
ibm-allmembers: CN=M5,CN=USERS,o=sample

Example 3:

User 2 does a search to see if m3 is a member of group g1. User 2 has access to do this search, so the search shows that m3 is a member of group g1.

idsldapsearch -D cn=user2,cn=users,o=sample -w user2pwd -s base -b cn=m3,
           cn=users,o=sample objectclass=* ibm-allgroups


cn=m3,cn=users,o=sample
ibm-allgroups: CN=G1,CN=GROUPS,o=sample

Example 4:

User 2 does a search to see if m1 is a member of group g1. User 2 does not have access to the member attribute, so the search does not show that m1 is a member of group g1.

idsldapsearch -D cn=user2,cn=users,o=sample -w user2pwd -s base -b 
           cn=m1,cn=users,o=sample objectclass=* ibm-allgroups


cn=m1,cn=users,o=sample

Example 5:

Depending on the ACLs associated with an user, the evaluation of the search consisting of the ibm-allMembers operational attribute for dynamic groups might give varied results. This example illustrates how access control can affect evaluation of the ibm-allMembers operational attributes for dynamic groups.

Consider the entries for two groups in LDIF defined as follows:

dn: cn=claims,cn=groups,o=sample
objectclass: top
objectclass: groupOfURLs
memberURL: ldap:///cn=users,o=sample??sub?(ibm-group=claims)
cn: claims

dn: cn=departmentNum, cn=groups, o=sample
objectclass: top
objectclass: groupOfURLs
memberURL: ldap:///cn=users,o=sample??one?(|(departmentnumber=2001) 
				 (departmentnumber=2002))

Consider the entries for users in LDIF defined as follows:

dn: uid=adavid, cn=users, o=sample
objectclass: top
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: ibm-dynamicMember
cn: Al
sn: David
departmentnumber: 2001
ibm-group: claims

dn: uid=jchevy, cn=users, o=sample
objectclass: top
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: ibm-dynamicMember
cn: Jerry
sn: Chevy
departmentnumber: 2002
ibm-group: claims

Here, the default access control, cn=anybody, is used, which has read, search, and compare access. This DN has access-class defined as "normal".

An user with required administrative privileges runs a search returning ibm-allMembers for these groups, the search returns:

idsldapsearch -D cn=root -w ? -b "cn=groups, o=sample" -s one objectclass=* 
               ibm-allMembers

cn=departmentNum,cn=groups,o=sample
ibm-allMembers=uid=adavid,cn=users,o=sample
ibm-allMembers=uid=jchevy,cn=users,o=sample

cn=claims,cn=groups,o=sample
ibm-allMembers=uid=adavid,cn=users,o=sample
ibm-allMembers=uid=jchevy,cn=users,o=sample

The result displays the entries that satisfy the search criteria departmentnumber=2001 or departmentnumber=2002 and ibm-group=claims.

If the same search is performed anonymously, the search returns:

idsldapsearch -b "cn=groups, o=sample" -s one objectclass=* ibm-allMembers

cn=departmentNum,cn=groups,o=sample
ibm-allMembers=uid=adavid,cn=users,o=sample
ibm-allMembers=uid=jchevy,cn=users,o=sample

cn=claims,cn=groups,o=sample

In the displayed result, entries that are members of the departmentNum group are returned that satisfy the search criteria departmentnumber=2001 or departmentnumber=2002, and no entries are returned as a member of the claims group. This is because the ibm-group attribute has access-class defined as "critical", while the departmentnumber attribute has access-class defined as "normal". Moreover, anonymous users do not have search access to attributes of access-class "critical".

In a dynamic group, the members are defined using an LDAP search. Therefore, the search for dynamic members and determination of group membership is internal to the directory server and therefore no access control applies.

However, if a client application retrieves ibm-allGroups to manage authority within some other application, then we need to be sure that the application does these searches using an identity that has the necessary authority.

 

Group object classes

ibm-dynamicGroup

This auxiliary class allows the optional memberURL attribute. Use it with a structural class such as groupOfNames to create a hybrid group with both static and dynamic members.

ibm-dynamicMember

This auxiliary class allows the optional ibm-group attribute. Use it as a filter attribute for dynamic groups.

ibm-nestedGroup

This auxiliary class allows the optional ibm-memberGroup attribute. Use it with a structural class such as groupOfNames to enable sub-groups to be nested within the parent group.

ibm-staticGroup

This auxiliary class allows the optional member attribute. Use it with a structural class such as groupOfURLs to create a hybrid group with both static and dynamic members.

Note:

The ibm-staticGroup is the only class for which member is optional, all other classes taking member require at least 1 member.

groupOfNames

Defines entries for a group of names. Represents a list containing an unordered list of names.

groupOfUniqueNames

Defines entries for a group of unique names.

accessGroup

A group that is used for access control.

groupOfURLs

Represents a group of URLs.

 

Group attribute types

ibm-allGroups

Shows all groups to which an entry belongs. An entry can be a member directly by the member, uniqueMember, or memberURL attributes, or indirectly by the ibm-memberGroup attribute. This Read-only operational attribute is not allowed in a search filter.

ibm-allMembers

Shows all members of a group. An entry can be a member directly by the member, uniqueMember, or memberURL attributes, or indirectly by the ibm-memberGroup attribute. This Read-only operational attribute is not allowed in a search filter.

ibm-group

Is an attribute taken by the auxiliary class ibm-dynamicMember. Use it to define arbitrary values to control membership of the entry in dynamic groups. For example, add the value "Bowling Team" to include the entry in any memberURL that has the filter "ibm-group=Bowling Team".

ibm-memberGroup

Is an attribute taken by the auxiliary class ibm-nestedGroup. It identifies sub-groups of a parent group entry. Members of all such sub-groups are considered members of the parent group when processing ACLs or the ibm-allMembers and ibm-allGroups operational attributes. The sub-group entries themselves are not members. Nested membership is recursive.

member

Identifies the distinguished names for each member of the group.

uniquemember

Identifies a group of names associated with an entry where each name was given a uniqueIdentifier to ensure its uniqueness. A value for the uniqueMember attribute is a DN followed by the uniqueIdentifier.

memberURL

Identifies an URL associated with each member of a group. Any type of labeled URL can be used.

The following tasks utilize the entries contained in the sample.ldif file that is located in the examples directory of the IBM Tivoli Directory Server.

You are going to create three groups to organize a lunch club. The first group is a static group that lists those people who like to meet for lunch on Monday. The second group that meets for lunch on Tuesday is a dynamic group. This group lists all the members of a department (the Widget division). The advantage of a dynamic group is that the changes that you make to the subtree entry, such as adding a new person entry, is dynamically changed in the group as well. The third group is a nested group that is a container for the other two groups.

 

Creating a static group entry

If you have not done so already, expand the Directory management category in the navigation area.

1. Click Add an entry.

2. Select the Groups filter object class from the drop-down menu and click Refresh.

3. Select one Structural object class from the list box. For this example GroupOfNames.

4. Click Next.

5. Select the Groups filter object class from the drop-down menu and click Refresh.

6. Select any Auxiliary object classes you wish to use from the Available box. For this example ibm-staticGroup and click Add. Repeat this process for each auxiliary object class you want to add. We can also delete an auxiliary object class from the Selected box by selecting it and clicking Remove.

7. Click Next.

8. In the Relative DN field, enter the relative distinguished name (RDN) of the entry that you are adding, for example, cn=Monday.

9. In the Parent DN field, enter the distinguished name of the tree entry you selected, for example, ou=Groups,o=sample. You can also click Browse to select the Parent DN from the list. We can also expand the selection to view other choices lower in the subtree. Specify your choice and click Select to specify the Parent DN that you want. The Parent DN defaults to the entry selected in the tree.
   Note:

   If you started this task from the Manage entries panel, this field is prefilled for you. You selected the Parent DN before clicking Add to start the add entry process.

10. At the Required attributes tab enter the values for the required attributes. For this example in the cn field type Monday.
    Notes:

    1. If you want to add more than one value for a particular attribute, click Multiple values. Supply the additional value for the attribute and click Add. Repeat this for each additional value. To remove a value, select the value and click Remove. Click OK when you have finished adding the multiple values. The values are added to a drop-down menu displayed below the attribute.

    2. If your server has language tags enabled, we can click Language tag value to add or remove language tag descriptors. See Language tags for more information.

11. In the member field, add the DN for at least one member. For example cn=Bob Garcia,ou=austin,o=sample.
    Note:

    This member does not have to be a preexisting entry. It can be created later.

    1. Click Multiple values.

    2. In the member field, type cn=Ricardo Garcia,ou=austin,o=sample.

    3. Click Add.

    4. Click OK.

12. Click Optional attributes.

13. At the Optional attributes tab enter the values as appropriate for the other attributes. For example in the Description field, type Monday lunch group. See Binary data for attributes for information on adding binary values.

14. Click Finish to create the entry.

See Managing members of group entries to add additional members to this group.

 

Creating a dynamic group entry

For this example, you are creating a dynamic group for the organization ou=Widget Division,ou=Austin,o=sample.

If you have not done so already, expand the Directory management category in the navigation area.

1. Click Add an entry.

2. If not already selected, choose the All filter object class from the drop-down menu and click Refresh.

3. Select one Structural object class from the list box. For this example container.

4. Click Next.

5. Select the Groups filter object class from the drop-down menu and click Refresh.

6. Select any Auxiliary object classes you wish to use from the Available box. For this example ibm-dynamicGroup and click Add. Repeat this process for each auxiliary object class you want to add. We can also delete an auxiliary object class from the Selected box by selecting it and clicking Remove.

7. Click Next.

8. In the Relative DN field, enter the relative distinguished name (RDN) of the entry that you are adding, for example, cn=Tuesday.

9. In the Parent DN field, enter the distinguished name of the tree entry you selected, for example, ou=Groups,o=sample. You can also click Browse to select the Parent DN from the list. We can also expand the selection to view other choices lower in the subtree. Specify the your choice and click Select to specify the Parent DN that you want. The Parent DN defaults to the entry selected in the tree.
   Note:

   If you started this task from the Manage entries panel, this field is prefilled for you. You selected the Parent DN before clicking Add to start the add entry process.

10. At the Required attributes tab enter the values for the required attributes. In this example, in the cn field type Tuesday.
    Notes:

    1. If you want to add more than one value for a particular attribute, click Multiple values. Supply the additional value for the attribute and click Add. Repeat this for each additional value. To remove a value, select the value and click Remove. Click OK when you have finished adding the multiple values. The values are added to a drop-down menu displayed below the attribute.

    2. If your server has language tags enabled, we can click Language tag value to add or remove language tag descriptors. See Language tags for more information.

11. Click Optional attributes.

12. At the Optional attributes tab enter the values as appropriate for the other attributes. In this example for memberURL type ldap:///ou=Widget Division,ou=Austin,o=sample??sub?.

13. Click Finish to create the entry.

 

Creating a nested group entry

In this task you are creating a nested group that is a container for the other two groups.

If you have not done so already, expand the Directory management category in the navigation area.

1. Click Add an entry.

2. If not already selected, choose the All filter object class from the drop-down menu and click Refresh.

3. Select one Structural object class from the list box. For this example container.

4. Click Next.

5. Select the Groups filter object class from the drop-down menu and click Refresh.

6. Select any Auxiliary object classes you wish to use from the Available box. For this example ibm-nestedGroup and click Add. Repeat this process for each auxiliary object class you want to add. We can also delete an auxiliary object class from the Selected box by selecting it and clicking Remove.

7. Click Next.

8. In the Relative DN field, enter the relative distinguished name (RDN) of the entry that you are adding, for example, cn=Lunch bunch.

9. In the Parent DN field, enter the distinguished name of the tree entry you selected, for example, ou=Groups,o=sample. You can also click Browse to select the Parent DN from the list. We can also expand the selection to view other choices lower in the subtree. Specify the your choice and click Select to specify the Parent DN that you want. The Parent DN defaults to the entry selected in the tree.
   Note:

   If you started this task from the Manage entries panel, this field is prefilled for you. You selected the Parent DN before clicking Add to start the add entry process.

10. At the Required attributes tab enter the values for the required attributes. In this example, in the cn field type Lunch bunch.
    Notes:

    1. If you want to add more than one value for a particular attribute, click Multiple values. Supply the additional value for the attribute and click Add. Repeat this for each additional value. To remove a value, select the value and click Remove. Click OK when you have finished adding the multiple values. The values are added to a drop-down menu displayed below the attribute.

    2. If your server has language tags enabled, we can click Language tag value to add or remove language tag descriptors. See Language tags for more information.

11. Click Optional attributes.

12. At the Optional attributes tab enter the values as appropriate for the other attributes. In this example for ibm-memberGroup type cn=Monday,ou=Groups,o=sample.

    1. Click Multiple values.

    2. In the member field, type cn=Tuesday,ou=Groups,o=sample.

    3. Click Add.

    4. Click OK.

13. Click Finish to create the entry.

 

Verifying the group task

To verify that you created the groups in the previous tasks correctly:

If you have not done so already, expand the Directory management category in the navigation area.

1. Click Manage entries.

2. Select o=sample and click Expand.
   Note:

   An expandable entry indicates that the entry has child entries. Expandable entries have a plus '+' sign next to them in the Expand column. We can click the '+' sign next to the entry to view the child entries of the selected entry.

3. Select ou=Groups and click Expand.

4. Select cn=Lunch bunch.

5. Expand the Select Action menu, select Manage Members and click Go.
   Note:

   On the Nested groups tab, cn=monday,ou=group,o=sample and cn=tuesday,ou=group,o=sample are listed.

6. Click the Effective group members tab.

7. Specify the maximum number of members to return for a group. If you click Maximum number of members to return, enter a number. Otherwise, click Unlimited.

8. To populate the table with the members of a group, click Load or select Load from Select Action and click Go.

 

Managing members of group entries

We can add and remove members from group entries.

 

Adding a member to a group entry

1. From the navigation area, expand the Directory management topic.

2. Click Manage entries.

3. Expand the various subtrees and select the group entry that you want to work on. For example, select the group cn=Monday,ou=groups,o=sample that was created in the creating a static group entry task.

4. From the Select action drop-down menu, select Manage members and click Go.

5. Specify the maximum number of members to return for a group. If you click Maximum number of members to return, enter a number. Otherwise, click Unlimited.

6. The Static group members tab is highlighted. Click Load to display the existing members of the group. In this example cn=Bob Garcia,ou=austin,o=sample and cn=Ricardo Garcia,ou=austin,o=sample are displayed in the table.
   Notes:

   1. We can add new members without clicking Load. This is beneficial when you have large groups.

   2. If you add new members, and one of the new members you are adding already exists, then when you click Load, the duplicate new member that you added is ignored.
   Note:

7. Type the name of entry that you want to add as a member of the group for example cn=Kyle Nguyen,ou=austin,o=sample in the member field or select it using the Browse function (Expand o=sample → Expand ou=Austin → Select cn=Kyle Nguyen,ou=austin,o=sample).

8. Click Add.

9. cn=Kyle Nguyen,ou=austin,o=sample is displayed in the table. Click Apply to save the change and continue adding additional members or click Ok to save the changes and return to the manage entries panel. cn=Bob Garcia,ou=austin,o=sample, cn=Ricardo Garcia,ou=austin,o=sample and cn=Kyle Nguyen,ou=austin,o=sample are now members of the Monday group.

10. If you click on the Effective group members tab and click Refresh, cn=Bob Garcia,ou=austin,o=sample, cn=Ricardo Garcia,ou=austin,o=sample and cn=Kyle Nguyen,ou=austin,o=sample are now displayed as members.

 

Editing a member entry in a group

To edit a member entry in a group:

1. From the navigation area, expand Directory management .

2. Click Manage entries.

3. Expand the various subtrees and select the group entry that you want to work on.

4. From the Select Action drop-down menu, select Manage Members and click Go.

5. Select the appropriate group tab for the entry you want to edit. For this, click Static group members.

6. To populate the table with the members of a group, click Load or select Load from Select Action and click Go.

7. To edit an existing member's entry details, select the member entry you want to edit from the member or uniqueMember table and do one of the following:

   • Click Edit.

   • Select Edit from the Select Action drop-down menu and click Go.
   Note:

   This displays the Edit attributes panel for the selected member entry. On this panel, you may modify the appropriate fields.

 

Removing a member from a group entry

To remove a member from the group entry:

1. From the navigation area, expand the Directory management topic.

2. Click Manage entries.

3. Expand the various subtrees and select the group entry that you want to work on. For example, select the group cn=lunch bunch,ou=groups,o=sample that was created in the creating a group entry task.

4. From the Select Action drop-down menu, select Manage Members and click Go.

5. Select the appropriate group tab for the entry you want to remove. For this example click Static group members.

6. Specify the maximum number of members to return for a group. If you click Maximum number of members to return, enter a number. Otherwise, click Unlimited.

7. To populate the table with the members of a group, click Load or select Load from Select Action and click Go.

8. Select the entry you want to remove and click Remove. If you want to remove all the members from the group entry, click Remove all.

9. You are prompted to confirm the removal. Click OK to remove the member.

10. Click Apply to save the change and continue removing additional members or click Ok to save the changes and return to the manage entries panel.

Note:

We can also delete a static member entry by entering a member DN in the member field and by clicking Delete. The Delete button is displayed only when no members are loaded in the member table.

 

Managing memberships for an entry

We can add and remove static memberships from an entries.

 

Adding a group membership

1. From the navigation area, expand the Directory management topic.

2. Click Manage entries.

3. Expand the various subtrees and select the entry, such as cn=Bob Garcia,ou=austin,o=sample.

4. From the Select Action drop-down menu, select Manage Memberships and click Go.

5. On the Effective memberships tab, click Load to display the group memberships for Bob Garcia.
   Note:

   If you have selected a group entry, no effective group memberships can be displayed unless it is a member of a another static or dynamic group. No membership is displayed, if the group entry is a member of a nested group only.

6. Select the Static memberships tab.

7. Select All suffixes or select a suffix to limit the groups that you want to view. For this example select cn=ibmpolicies.

8. Click Browse groups to show all the static groups for that suffix.

9. Select globalGroupName=GlobalAdminGroup,cn=ibmpolicies.

10. Click Select.
    Note:

    Alternatively, you could type globalGroupName=GlobalAdminGroup,cn=ibmpolicies in the Group DN field or click Browse to select it from the directory and click Add.

11. If you did not click Load to display the memberships for the entry or, if there were no memberships for the entry, a message is displayed: You have not loaded entries from the server. Only your changes will be displayed in the table. Do you want to continue?, click OK.

12. globalGroupName=GlobalAdminGroup,cn=ibmpolicies is displayed in the table. Click Apply to save the change and continue adding additional members or click Ok to save the changes and return to the manage entries panel. cn=Bob Garcia,ou=austin,o=sample is now a member of the global administration group.

13. If you click on the Effective group members tab and click Refresh, globalGroupName=GlobalAdminGroup,cn=ibmpolicies is now displayed as a group membesrhip for the entry cn=Bob Garcia,ou=austin,o=sample.

 

Removing a group membership from an entry

1. From the navigation area, expand the Directory management topic.

2. Click Manage entries.

3. Expand the various subtrees and select the entry, such as cn=Bob Garcia,ou=austin,o=sample.

4. From the Select Action drop-down menu, select Manage Memberships and click Go.

5. On the Static memberships tab, click Load to display the group memberships for Bob Garcia.

6. Select the group membership that you want to remove and click Remove. If you want to remove all the memberships from the user entry, click Remove all.

7. You are prompted to confirm the removal. Click OK to remove the member.

8. Click Apply to save the change and continue removing additional members or click Ok to save the changes and return to the manage entries panel.

 

Editing a memberURL in a dynamic group

To edit a memberURL in a dynamic group:

1. From the navigation area, expand the Directory management topic.

2. Click Manage entries.

3. Expand the various subtrees and select the group entry that you want to work on. For example, select the group cn=lunch bunch,ou=groups,o=sample that was created in the creating a group entry task.
   Note:

   The group entry you select must be a dynamic group.

4. From the Select Action drop-down menu, select Manage Members and click Go.

5. In the Dynamic group filter tab, click Edit.

6. We can edit the Base DN. The base DN is the DN on which the search is performed. We can use the Browse button to locate the desired DN. Clicking Browse takes you to the "Browse entries" panel. Select the desired entry from the table and click Select.

7. Select the scope for the memberURL. The options include:

   • Object – search only within the selected (base) entry.

   • Single level – search only within the immediate children of the selected (base) entry.
     Note:

     This does not include the base entry.

   • Subtree – search all descendants of the selected entry, including the base entry.

8. Enter a search filter string. We can click Edit to launch a panel that will help you create a search filter string. This new panel has the following options:

   • Simple

   • Advanced

   • Manual
   For more information, see Search filters.

 

Roles

Role-based authorization is a conceptual complement to the group-based authorization, and is useful in some cases. As a member of a role, you have the authority to do what is needed for the role in order to accomplish a job. Unlike a group, a role comes with an implicit set of permissions. There is not a built-in assumption about what permissions are gained (or lost) by being a member of a group.

Roles are similar to groups in that they are represented in the directory by an object. Additionally, roles contain a group of DNs. Roles which are to be used in access control must have an objectclass of 'AccessRole'. The 'Accessrole' objectclass is a subclass of the 'GroupOfNames' objectclass.

For example, if there are a collection of DNs such as 'sys admin', your first reaction may be to think of them as the 'sys admin group' (since groups and users are the most familiar types of privilege attributes). However, since there are a set of permissions that you would expect to receive as a member of 'sys admin' the collection of DNs may be more accurately defined as the 'sys admin role'.

[ Top of Page | Previous Page | Next Page | Contents | Index ]