9.2 Creating Dynamic Groups
Groups based on LDAP queries are dynamic because they can be configured to have their membership updated when the information in the LDAP directory changes.
Creating groups based on LDAP queries is a quick way to create Filr groups that consist of users who match specific criteria. You can create dynamic groups as described in the following sections:
9.2.1 Creating Dynamic Groups within LDAP
Depending on the LDAP directory that you are using, you might be able to create dynamic groups within your LDAP directory. For example, you can create dynamic group objects in eDirectory with NetIQ iManager (for more information, see the iManager Documentation).
Dynamic groups created within LDAP are stored in your LDAP directory and can then be synchronized to Filr, as described in Section 18.1, Synchronizing Users and Groups from an LDAP Directory.
9.2.2 Creating Dynamic Groups within Filr
You can create dynamic groups in Filr by querying the LDAP directory.
Prerequisites
-
Users must already have existing Filr user accounts in order for them to be added to a Filr group as described in this section. If your LDAP query includes users who are not already Filr users, the users are not added to the Filr group
-
When you configure your LDAP connection, you must specify the name of the LDAP attribute that uniquely identifies the user (the value of this attribute never changes). For eDirectory, this value is GUID. For Active Directory, this value is objectGUID. For more information about this attribute, see GUID attribute:.
The Filr process that creates a dynamic group uses the LDAP configuration settings in Filr to authenticate to the LDAP directory server. The credentials that are used are the LDAP server URL, user DN, and password. For more information on how to configure these and other LDAP configuration settings in Filr, see Section 18.1, Synchronizing Users and Groups from an LDAP Directory.
Advantages
Advantages to creating dynamic groups within Filr rather than within your LDAP directory include the following:
-
Allows the Filr administrator to control group membership without having direct access to the group object in the LDAP user store.
-
Your LDAP directory might not support dynamic groups.
-
You do not want dynamic groups to sync to applications other than Filr that are leveraging your LDAP directory.
Considerations with Multiple LDAP Sources
Consider the following if your Filr site is configured with multiple LDAP sources:
-
You should not create dynamic groups in Filr if the base DN that you define for the dynamic group does not exist in each LDAP source. This is because the membership of the dynamic group might not be updated correctly.
-
If your Filr site is configured with multiple LDAP sources and the base DN that you define for the dynamic group exists in each LDAP source, the membership of the dynamic group contains users from each LDAP source that match the dynamic group’s filter.
Creating the Group
To create the dynamic group within Filr:
-
Log in to the Filr site as the Filr administrator.
-
Launch a web browser.
-
Specify one of the following URLs, depending on whether you are using a secure SSL connection:
http://filr_hostname:8080 https://filr_hostname:8443
Replace filr_hostname with the hostname or fully qualified domain name of the Filr server that you have set up in DNS.
Depending on how you have configured your Filr system, you might not be required to enter the port number in the URL. If you are using NetIQ Access Manager, the Filr login screen is not used.
-
-
Click the link in the upper-right corner of the page, then click the icon
.
-
Under , click , then click .
-
Fill in the following fields:
Name: Specify the unique name under which the group is stored in the Filr database. You can use only alphanumeric characters (a-z, A-Z, 0-9), hyphens (-), and underscores (_).
This is the name that appears to users in Filr.
You can modify the name completion settings (the group name that is displayed when users are specifying the group, such as in the Share dialog) to use the Title instead of the Name.
For more information about modifying the name completion settings, see Section 19.4, Managing How Group Names Are Displayed during Name Completion.
Title: Enter a descriptive group title. This string can include any characters that you can type.
You can modify the name completion settings (the group name that is displayed when users are specifying the group, such as in the Share dialog) to use the Title instead of the Name.
For more information about modifying the name completion settings, see Section 19.4, Managing How Group Names Are Displayed during Name Completion.
Description: Describe what the members of this group have in common.
-
Select .
This means that group membership is based on an LDAP query that you will define in this procedure.
-
Click .
-
Specify the following options:
Base DN: Specify the base DN where you want to start your search.
If you have multiple LDAP sources, see Considerations with Multiple LDAP Sources before proceeding.
HINT:You can use the icon
next to the field to browse the LDAP directory for the base DN that you want to use.
LDAP Filter: Specify the filter criteria.
For example, to search for all users located in Utah, specify (st=Utah).
Search subtree: Select this option if you want to also search for matches in subtrees of the base dn you are currently searching.
Update group membership during scheduled ldap synchronization: Select this option to update the membership of this group during each scheduled LDAP synchronization. Group membership is updated based on changes that might have occurred in the LDAP directory.
For information on how to set the LDAP synchronization schedule, see Configuring the Synchronization Schedule.
-
(Optional) Click to test the results of your LDAP query.
This process can take several minutes, depending on the size of your LDAP directory.
-
Click > to create the group.