Novell Home

My Favorites

Close

Please to see your favorites.

Upgrading Existing Groups to Dynamic Groups in eDirectory 8.6.1

(Last modified: 20Oct2002)

This document (10067519) is provided subject to the disclaimer at the end of this document.

goal

Upgrading Existing Groups to Dynamic Groups in eDirectory 8.6.1

fact

Novell eDirectory 8.6

Novell eDirectory 8.6 for Solaris

Novell eDirectory 8.6 for Linux

Novell eDirectory 8.6 for Windows NT/2000

Dynamic Groups

fix

OVERVIEW
Regular eDirectory groups, or static groups, can be upgraded to support dynamic group functionality. This is done by adding the dynamicGroupAux objectclass to the static group. The accompanying dynamic group attributes must also added to the static group. As with normal dynamic groups, the dynamic group attributes and ACLs need to be managed with LDAP.

Currently there are no ConsoleOne snap-ins for dynamic groups. You can view the upgraded dynamic group membership list in ConsoleOne, but must create or update the dynamic members with LDAP. Static members can be managed with ConsoleOne. The general steps to upgrade a normal group to a dynamic group are:
1. Add the dynamicGroupAux objectclass and dynamic group attributes to the existing group.
2. Assign a special ACL attribute with LDAP to the resource being managed.
3. Update the trustee rights in ConsoleOne for the converted dynamic group.

The example below is going to convert an existing group called cn=Sales Support.ou=istaff.o=novell into a dynamic group. This group will consist of the original static members and all users in the ou=istaff.o=novell container that have "Sales Support" in their title attribute field. The upgraded group will perform the LDAP queries as the admin user, and will have access to the ou=sales.o=novell container.

UPGRADING THE GROUP
1. Create an LDIF file to upgrade the Sales Support group to a dynamic group. upgradegrp.ldif follows:

    version: 1
    dn: cn=Sales Support,ou=istaff,o=novell
    changetype: modify
    add: objectclass
    objectclass: dynamicGroupAux
    memberQueryURL: ldap:///ou=istaff,o=novell??sub?(title=Sales Support)
    dgIdentity: cn=admin,o=novell

NOTE: dgIdentity is the DN used to make the LDAP queries. This DN must reside on the same server as the dynamic group.

2. Use LDAP to add the contents of the LDIF file. For example,

    ldapmodify -D "cn=admin,o=novell" -w password -f upgradegrp.ldif
    -OR-
    ice -S LDIF -f upgradegrp.ldif -m -D LDAP -s localhost -d cn=admin,o=novell -w password

ASSIGNING ACLS - Group Trustee Assignment Does NOT Exist
Once the group is upgraded, you need to add the dynamic ACL to the resource(s) the dynamic group is going to manage. In this example, Sales Support will have rights to ou=sales.o=novell.

1. Create an LDIF file to add the required ACL to the ou=sales.o=novell container. addacl.ldif follows:

    version: 1
    dn: ou=sales,o=novell
    changetype: modify
    add: acl
    acl: 536870912#entry#cn=Sales Support,ou=istaff,o=novell#[Entry Rights]
    acl: 536870912#entry#cn=Sales Support,ou=istaff,o=novell#[All Attributes Rights]

NOTE: This ACL eliminates the need to set EquivalentToMe or securityEquals attributes.

2. Use LDAP to add the contents of the LDIF file. For example,

    ldapmodify -D "cn=admin,o=novell" -w password -f addacl.ldif
    -OR-
    ice -S LDIF -f addacl.ldif -m -D LDAP -s localhost -d cn=admin,o=novell -w password

3. Use ConsoleOne to give specific trustee assignments to cn=Sales Support.ou=istaff.o=novell for the ou=sales.o=novell resource. To do this:
    a. Right click on ou=sales.o=novell
    b. Select "Trustees of this Object..."
    c. Highlight Sales Support.istaff.novell
    d. Select the "Assigned Rights" button to assign the desired rights, properties and inheritance.

ASSIGNING ACLS - Group Trustee Assignment Already Exists
If the upgraded group is already a trustee of the resource(s) being managed, then you need to add the dynamic ACL to the trustee assignment. The general tasks are:
1. Export the group's existing ACL.
2. Add the dynamic ACL to the existing ACL to get the combined replacement ACL
3. Create and import the LDIF file that will update the existing trustee's ACL.
____________________________________________________

1. Export the group's existing ACL.
The following commands will export the ACL list. If you don't see the ACL, make sure you are authenticating with a user that has sufficient rights to read the ACLs. For example,

    ldapsearch -D "cn=admin,o=novell" -w password -b "ou=sales,o=novell" objectclass=*
    -OR-
    ice -v -S LDAP -d "cn=admin,o=novell" -w novell -c base -b "ou=users,ou=prv,o=novell" -F "objectclass=*" -D LDIF -f acl.ldif

These commands should show something like the following:

    version: 1
    dn: ou=sales,o=novell
    ou: users
    objectClass: organizationalUnit
    objectClass: ndsLoginProperties
    objectClass: ndsContainerLoginProperties
    objectClass: top
    ACL: 2#entry#ou=sales,o=novell#loginScript
    ACL: 2#entry#ou=sales,o=novell#printJobConfiguration
    ACL: 11#subtree#cn=changedynamic,ou=nts_wss,ou=prv,o=novell#[Entry Rights]
    ACL: 3#subtree#cn=changedynamic,ou=nts_wss,ou=prv,o=novell#[All Attributes Rights]

The "ACL" lines are the trustee assignments. Only the ACLs associated with the upgraded group will be affected.

2. Add the dynamic ACL to the existing ACL to get the combined replacement ACL.
The dynamic ACL is a bit that needs to be set by LDAP. The decimal equivalent value is 536870912. Use the ACL values given in the LDAP export of the object that had the existing group trustee assignment. For example,

    ACL: 11#subtree#cn=changedynamic,ou=nts_wss,ou=prv,o=novell#[Entry Rights]
    536870912 + 11 = 536870923

    ACL: 3#subtree#cn=changedynamic,ou=nts_wss,ou=prv,o=novell#[All Attributes Rights]
    536870912 + 3 = 536870915

3. Create and import the LDIF file that will update the existing trustee's ACL.
** WARNING***************************************
Make sure the ACL number is correct. Serious
problems can occur if you make typographical
errors with the ACL number.
******************************************************
Create an LDIF file to replace the required ACLs to the ou=sales.o=novell container. The version number will be one or two. It doesn't matter in this case which you use to update the ACLs. repacl.ldif follows:

    version: 1
    dn: ou=sales,o=novell
    changetype: modify
    replace: acl
    acl: 2#entry#ou=sales,o=novell#loginScript
    acl: 2#entry#ou=sales,o=novell#printJobConfiguration
    acl: 536870923#subtree#cn=Sales Support,ou=istaff,o=novell#[Entry Rights]
    acl: 536870915#subtree#cn=Sales Support,ou=istaff,o=novell#[All Attributes Rights]

4. Use LDAP to add the contents of the LDIF file. For example,

    ldapmodify -D "cn=admin,o=novell" -w password -f repacl.ldif
    -OR-
    ice -S LDIF -f repacl.ldif -m -D LDAP -s localhost -d cn=admin,o=novell -w password

NOTE: No additional modifications are needed in ConsoleOne.

See also TID10067369 - Creating Dynamic Groups in eDirectory 8.6.1

KNOWN LIMITATIONS
1. Dynamic Group functionality does not exist on servers running eDirectory prior to Novell eDirectory 8.6.1.
2. File ACLs are currently not supported.
3. Some legacy applications that depend on the 'memberOf' attribute will not work.
4. You must use LDAP to manage the groups.
5. Referential integrity is not supported for distinguished names embedded in the memberQueryURL.
6. Only the first memberQueryURL attribute value is evaluated.

For additional information on eDirectory 8.6, please see the following solution.   TID #10066455 - eDirectory 8.6 Readme Addendum

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.

  • Document ID:
  • 10067519
  • Solution ID: NOVL68778
  • Creation Date: 14Jan2002
  • Modified Date: 20Oct2002
    • NovellConnectivity Products

Did this document solve your problem? Provide Feedback