Novell Cool Solutions

Static Group



By:

May 13, 2007 11:18 am

Reads:3,885

Comments:0

Score:Unrated

Print/PDF

License:
Free

Download staticgroup103

Updated 05/13/07 – Version: 1.03

Version 1.03
Fixed: the evaluation of nested & (and) and | (or) was not always correct. This is fixed in this version.

Version 1.02

Added: option for tree change in SG.exe (commandline version)
Fixed: /sq option in sg.exe
Fixed: change tree in Staticgroup.exe
Fixed: Missing error warning on missing ( or ) in filterstring

Ever needed the function of a dynamic group in combination with file rights or zen application objects. The program does “simulates” this by statically updated the memberlist of a group everytime the program is run. The update query is similar to the query of a Dynamic group.

In the setup there is also a commandline dos version available so you can easily schedule the updates of the groups with any schedule program for windows.

Static Group utility.

In contrast with dynamic group is static group (or pseudo dynamic) not a function of eDirectory. Static group is a utility that can update the memberlist of a non-dynamic (workstation)group based on query like the query in a dynamic group. In static group the memberlist is not automatically updated, for updating the windows of commandline version of the program must be run.

This version of the utility is Novell Client based and not LDAP. The query entered is translated to a eDirectory query. The main limitation is that there is no support for extended matching rules.

Why Static group instead of Dynamic group.

Dynamic group is always up to date, but the main difference is that the “group membership” attribute and “security equals ” isn’t updated with dynamic group. This utility will update these attributes, so the group can be used for filesystem access or zen application objects.

The program

For future compatibility with the ldap version of the program, the attribute names in the filter have to be the ldap names. See also mapping options.

After selecting a group (a user or workstation group) (button on the right of the group box) the program reads the member attribute and the attribute used for the ldap query information (default the attribute L, but that can be changed).

On the browser window for the group, it is possible to add an new group by selecting the green Add button.

After entering/updating the ldap query, it is possible to execute the query. Depending on the settings “add Excludes” and “add Includes” and the options “add/sync” the program shows the result in the member window. If everything is ok, then the result can be saved by selecting the Update Group button.

Exclude users

The program can apply an exclude list to prevent the adding of certain users (or workstations).

On selecting the option “add exclude” and the program shows the exclude tab. On that tab it is possible to add and remove the exclude members. The program stores the exclusion list in the attribute “See Also”. If this is a problem please change the attribute name in the section [SYSTEM] of the staticgroup.ini file.

Include users

The program can apply an include list to always add of certain users (or workstations).

On selecting the option “add include” and the program shows the include tab. On that tab it is possible to add and remove the include members. The program stores the exclusion list in the attribute “Owner”. If this is a problem please change the attribute name in the section [SYSTEM] of the staticgroup.ini file.

Options add/sync

Add: the result of the query is added to the already existing members of the group. All new members will be green. Unchanged members are black.

Sync: the result of the query will replace the current memberlist of the group. The program will show the members that will be deleted (red and strikethrough) and the new members (green). The unchanged members are black.

Include members are shown blue, and exclude members are shown blue and strikethrough.

Query attribute.

On the settings page it is possible to select an attribute for the storage of the “ldap query” string. The commandline version of the program (sg.exe) will read this attribute and uses it for updating the groups without asking.

Limitations

  • The program only supports simple attribute names.
  • No support for: extensible items
  • No support for binary attributes
  • Only string and “integer” attributes are supported. (includes distinguished names and counter )
  • No check for valid combinations of attribute and filtertype.
  • There is a problem in the filter-parser if you forget a “(” or “)”!!!!!

The program supports:

& and, | or, ! not, present (=*) , =, <=, >= , ~=

Warning:

Use the attribute names mst be LDAP names, not eDirectory names. E.g. use “givenname” and not “Given Name”.

Make sure to put the correct object (types) into the query. So for user groups use (objectclass=User) and for workstation groups use (objectclass=workstations).

Commandline version

There is also an commandline version of staticgroup (sg.exe). The install will update the path system variable, so the program can be used from any location on the workstation.

There are two commandline methods:

  1. sg groupname [options] (this must be the full name of the group)
    e.g. SG “Users applications.Applications.APP_W2000.ZEN.WB” do not add an leading dot.
  2. sg @filename [options]
    The text-file must contain a groupname on every line. Empty lines not permitted.

There are a few commandline options:

  • /v

    Verbose. The program writes all the updates it does to the group on the screen.
  • /sq

    Show query. This will show the executed query on the screen
  • /t

    This will turn on the verbose mode and will simulate the query update, no information will be changed.

The commandline version can be scheduled, so the groups will be updated regulary.

Mappings

The program uses the following method for mapping the ldap attribute names to the ndap attribute names:

At startup the program read the schema attributes from the eDirectory. The is “translate all the attribute names by removing all space, and columns (:) and force everything to be lowercase. Then it will read the file mappings.dat (in the program directoy) and add these at the top of the list, so the program will first search this list before it searches the “translated” attribute names. In the mappings.dat file (just a text file) the left column is the ldap name and the right column (after the =) is the eDirectory name.

This list can be updated or edited if needed (please use a text-editor like notepad or so).

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.
Loading...Loading...

Tags:
Categories: Uncategorized

Disclaimer: This content is not supported by Novell. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.

Comment

RSS