Novell Doc: NDK: Novell eDirectory Schema Reference

LDAP Name

group
groupOfNames
groupOfUniqueNames

ASN.1 ID

2.5.6.9 (groupOfNames)
2.5.6.17 (groupOfUniqueNames)
2.16.840.1.113719.1.1.6.1.8 (group)

Class Flags

Class Flags	Setting
Container	Off
Effective	On
Nonremovable	On
Ambiguous Naming	Off
Ambiguous Container	Off
Auxiliary Class	Off

Class Structure

Rule	Class/Attribute	Defined For
Super Classes	Top	Group
Containment	domain Organization Organizational Unit	Group Group Group
Named By	CN (Common Name)	Group

Rule

Class/Attribute

Defined For

Super Classes

Top

Group

Containment

domain

Organization

Organizational Unit

Group

Named By

CN (Common Name)

Group

Mandatory Attributes

Group	Inherited from Top
CN (Common Name)	Object Class

Optional Attributes

Group
businessCategory Description EMail Address Full Name GID (Group ID) L (Locality Name) Login Script Mailbox ID	Mailbox Location Member O (Organization Name) OU (Organizational Unit Name) Owner Profile Profile Membership See Also

Inherited from Top
ACL Audit:File Link Authority Revocation auxClassCompatibility Back Link Bindery Property CA Private Key CA Public Key Certificate Revocation Certificate Validity Interval creatorsName Cross Certificate Pair DirXML-Associations Equivalent To Me	GUID Last Referenced Time masvAuthorizedRange masvDefaultRange masvProposedLabel modifiersName Obituary objectVersion Other GUID Reference Revision rbsAssignedRoles rbsOwnedCollections Used By

Default ACL Template

Object Name	Default Rights	Affected Attributes	Class Defined For
[Creator]	Supervisor	[Entry Rights]	Top

Remarks

For help in understanding the class definition template, see Reading Class Definitions.

The membership of a group is static; that is, it is explicitly modified by administrative action, rather than dynamically determined each time the group is referred to. The membership of a group can be reduced to a set of individual object’s names by replacing each group with its membership. This process can be carried out recursively until all constituent group names have been eliminated, and only the names of individual objects remain.

In general, eDirectory operations do not perform recursive membership expansion. However, access control resolution effectively expands one level of groups listed in an Access Control List (ACL). Thus, if A is a member of group B, which is in turn listed in an ACL, A gains the access granted to group B. However, if A is a member of group B, which is a member of group C, and C is listed in an access control list, A does not gain the access granted to group C.

Other applications are free to perform recursive group expansion, if they so choose.

The L (Locality Name, O (Organization Name), and OU (Organizational Unit Name) attributes might already be present in the group’s Distinguished Name. They are repeated here to aid searching when an organization spans multiple subtrees in the eDirectory tree. Additional values for the locality, organization or organizational unit may be useful when a group contains members from multiple organizations, organizational units, or localities.

The Owner attribute could be used to contain the name of the group leader or group moderator. This value might not be the same as the set of individuals authorized to modify the group object.

The See Also attribute might be used to list related groups. For example, the groups “Project A Programmers,” “Project A Writers,” and “Project A Testers” might mention one another in their See Also attributes.