Cool Solutions

GroupMember & GroupMembership Association with eDirectory Nested Groups using iManager



By:

January 23, 2008 12:25 pm

Reads: 9061

Comments:2

Score:0

Problem

You need to associate and check nested group members and find out to which Group that members are associated with, using iManager.

Pre-requisites

Create a nested Group in eDirectory 8.8.2, using iManager 2.6.x or 2.7. The static group needs to be converted to a nested group, using the object class nestedGroupAux to allow for the groupMembership value.

Solution 1

To associate and check the member(Group Member) of a nested Group, follow the steps below.

1. Log in to iManager 2.7 with Administrator credentials.

2. Select Directory Administration > Modify object.

3. Specify the nested group object name as “NG”.

4. Click OK.

Figure 1 – Modifying the nested group object “NG”

5. Go to the Other tab.

6. Click on “groupMember” in the Unvalued Attributes dropdown list. Using the Add option, provide the group member information in the Add Attribute window (in this example it is “SG1″).

7. Click OK.

Figure 2 – Associating the nested group SG1 to nested group NG, using groupMember

8. Apply these changes.

Figure 3 – Saving the changes

9. To verify, perform an ldapsearch for the nested group object “NG” to verify that the member was associated. For example:

ST-FC-CLI-174:~ # ldapsearch -D cn=admin,o=novell -w novell -p 390 cn=ng
version: 1

#
# filter: cn=ng
# requesting: ALL
#

# NG,novell
dn: cn=NG,o=novell
groupMember: cn=SG1,o=novell
equivalentToMe: cn=NG,o=novell
owner: cn=admin,o=novell
objectClass: groupOfNames
objectClass: Top
objectClass: nestedGroupAux
member: cn=NG,o=novell
cn: NG
ACL: 2#entry#[Root]#member

# search result
# search: 2
# result: 0 Success

# numResponses: 2
# numEntries: 1

Solution 2

To determine which members are associated (GroupMembership) to a nested group, follow the steps below.

1. Log in to iManager 2.7 with Administrator credentials.

2. Select Directory Administration->Modify object-> Select object name “SG1” (SG1 is a Static group converted to Nested group)->Click on OK.

Figure 4 – Modifying the nested group object “SG1”.
.
3. Go to “Other” tab -> Click on “Group Membership” from Unvalued Attributes “<-” Add option -> Provide the group membership information which is “NG” in the Add Attribute window -> Click on OK.

Figure 5 – Associating the GroupMembership “NG” to SG1

3. Apply these changes.

Picture 6 – Showing the option to click on Apply in order to save the changes.

4. To verify, perform an ldapsearch:

ST-FC-CLI-174:~ # ldapsearch -D cn=admin,o=novell -w novell -p 390 cn=SG1
version: 1

#
# filter: cn=SG1
# requesting: ALL
#

# SG1,novell
dn: cn=SG1,o=novell
owner: cn=admin,o=novell
objectClass: groupOfNames
objectClass: Top
objectClass: nestedGroupAux
groupMembership: cn=NG,o=novell
cn: SG1
ACL: 2#entry#[Root]#member

# search result
# search: 2
# result: 0 Success

# numResponses: 2
# numEntries: 1

Conclusion

Now we have nested SG1, with NG having a group member SG1 and SG1 showing its association to NG with GroupMembership attribute. This way we can associate and verify the members of a given nested group, as well as to which all groups the members belong.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Categories: Uncategorized

Disclaimer: This content is not supported by Novell. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.

2 Comments

  1. By:geoffc

    So looking at how this is done, anyone could have done this with an Aux class any time in the past…

    But does Security Equivalence work?

    The argument against nested groups in the past has been rights evaluation. How do you evaluate effective rights if the membership can loop?

    If that is still an issue, what is the benefit of nested groups? What is an example use case, beyond syncing to an environment that uses them with IDM (Say AD or Domino or something else).

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    • By:alexpeeters

      So, over 4 years later I can see no practical use for Nested Groups in an OES/NSS environment.

      Maybe IDM could play a nice role in this use case?
      I think it should be possible to create an IDM driver to grab the users from the static child groups and add them as static users to the parent group. And if that driver would be recursive that would open a world of opportunities for me!

      Has anybody done this perhaps?

      VN:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)

Comment

RSS