Dynamic Groups

A dynamic group can use an LDAP search filter to populate its 'member' attribute. Traditional or static groups require the 'member' attribute to be populated manually. A dynamic group, on the other hand, can use an LDAP URL to assign all users with a Title attribute of "IS" to its membership list. Members can be specified by a Filter on a Dynamic Group object, in addition to explicit members.

You can use the Dynamic Group Management role in Novell iManager to create and modify Dynamic Group objects. Dynamic Groups are supported with eDirectory 8.6 and above.

To make a dynamic group work properly after creation:

  1. Setup SSL for LDAP connections.

    For more information, see "Configuring and Using SSL for LDAP Connections" in the iManager 1.5.1 Administration Guide.

    Alternately, if you want to use clear text passwords for LDAP communication: Run iManager, click the Roles and Tasks button > LDAP Management > LDAP Overview > View LDAP Group Objects > click on an LDAP Group object > click Information. Uncheck "Require TLS for Simple Binds with Password". Do this for each LDAP Group object in the tree.

  2. In Novell iManager, click the Roles and Tasks button.

  3. Click Dynamic Group Management > Modify Dynamic Group.

  4. Specify the name and context of the Dynamic Group object you want to modify.

  5. Enter the appropriate information on the Modify Dynamic Group page.

    There are default values for the Identity object, Base dn, and Filter fields:

    Identity object = [Public]
    Base dn = [root]
    Filter = (objectClass=*)

    If nothing is entered in these fields, these default values will automatically be used. You will not be able to see a default value for Base dn or Filter. Leaving everything set to the default values will add every object in your tree as a member of this dynamic group. You can verify this by selecting the Unique member list, which will show you the current members of the dynamic group based on the filter that is set and any members that were explicitly added.

  6. Set the Base dn to the search base. The search base is the point at which you want to begin searching for dynamic group members based on the Filter you have entered.

  7. Set the Identity object or accept the default.

    NOTE:  [Public] may not have sufficient rights to read and compare attributes. For example, if you set the Filter to (&(title=manager)), the [Public] identity might not be able to read or compare the title or many other attributes. To perform a search, the server has to use a specific identity so that the results will always be consistent. The Identity object should have a password set so that the server can authenticate as the Identity object. The Identity object must have sufficient rights to the Base dn level and below to determine dynamic group membership.

  8. Specify a filter with the Advanced Selector or by typing one in.

For an overview of using dynamic groups with eDirectory, see the April 2002 edition of Novell AppNotes®.