Novell Home

Group Management Eating Your Day? Try Dynamic Groups

Novell Cool Solutions: Feature

Digg This - Slashdot This

Posted: 29 Jan 2002
 

eDirectory's Dynamic Groups, like Static Groups, allow you to set up groups like "Sales" or "Asia Pacific" that give members of those groups specific rights to the network services they need. But that's where the similarity stops.

Dynamic Groups manage themselves. With Static Groups, if a user transfers from Sales to Marketing they would need to be removed from the static group "Sales" and added to the static group "Marketing". With Dynamic Groups, however, an attribute in the User Object would be modified to reflect the change, and the Dynamic Groups "Sales" and "Marketing" dynamically modify their membership lists to reflect the change in the user object. (Cool, huh?)

Here's an overview of what Dynamic Groups are and what they can do for you. If you like what you see, we've provided links to related documentation and Technical Information Documents at the bottom of this page.

Group
You can create Group objects to help you manage sets of User objects.

What a Group Object Represents
A Group object represents a set of User objects.

Usage
While container objects let you manage all User objects in that container, Group objects are for subsets within a container or in multiple containers.

Group objects have two main purposes:

  • They allow you to grant rights to a number of User objects at once.
  • They allow you to specify login script commands using the IF MEMBER OF syntax.

Static Groups
Static groups identify the member objects explicitly. Each member is assigned to the group explicitly.

Dynamic Groups
Dynamic groups use an LDAP URL to define a set of rules, which when matched by eDirectory User objects, define the members of the group. Dynamic group members share a common set of attributes as defined by the filter specified in the URL.

Dynamic groups let you specify the criteria to be used for evaluating membership in a group. The actual members of the group are evaluated dynamically by eDirectory, which lets you define the group members in terms of a logical grouping, and lets eDirectory automatically add and remove group members. This solution is more scalable and reduces administrative costs, and can supplement normal groups in LDAP to provide increased flexibility.

eDirectory 8.6 lets you create a dynamic group when you want to group users automatically based on any attribute, or when you want to apply ACLs to specific groups which contain matching DNs. For example, you can create a group that automatically includes any DN that contains the attribute Department=Marketing. If you apply a search filter for Department=Marketing, the search returns a group including all DNs containing the attribute Department=Marketing. You can then define a dynamic group from the search results based on this filter. Any User added to the directory who matches the Department=Marketing criteria is automatically added to the group. Any User whose Department is changed to another value (or who is removed from the directory) is automatically removed from the group.

Dynamic groups are created in eDirectory by creating an object of type objectclass="dynamicGroup". A static group object can be converted into a dynamic group by associating an auxiliary class, dynamicGroupAux, to the group object. The dynamic group has the memberQueryURL attribute associated with it.

A "dgIdentity" attribute can be set on the dynamic group object to the distinguished name of an entry, whose credentials and rights should be used to expand the dynamic members of the group.

The groups are managed using the memberQueryURL. A typical memberQueryURL has a base DN, a scope, a filter, and an optional extension.The base DN specifies the search base. Scope specifies the levels below the base to search, and filter is the search filter based on which entries are selected from within the specified scope.

NOTE: To address exceptions to the listing created by the memberQueryURL, dynamic groups also allow for explicit inclusion and exclusion of users.

In eDirectory 8.6, Dynamic Groups cannot be managed through ConsoleOne. Use LDAP commands to manage such groups. The most useful properties associated with Dynamic Groups are dgIdentity and memberQueryURL.

Documentation:
http://www.novell.com/documentation/lg/ndsedir86/taoenu/data/fbabihje.html

TID - Creating Dynamic Groups in eDirectory 8.6.1:
http://support.novell.com/cgi-bin/search/tidfinder.cgi?10067369

TID - Upgrading Existing Groups to Dynamic Groups in eDirectory 8.6.1:
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10067519.htm


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell