| Oracle® Fusion Middleware Administrator's Guide for Oracle Internet Directory 11g Release 1 (11.1.1) Part Number E10029-02 |
|
|
View PDF |
| Oracle® Fusion Middleware Administrator's Guide for Oracle Internet Directory 11g Release 1 (11.1.1) Part Number E10029-02 |
|
|
View PDF |
This chapter explains how to administer both static and dynamic groups in Oracle Internet Directory. This chapter contains these topics:
Oracle Internet Directory enables you to assign and manage membership in two types of groups—namely, static groups and dynamic groups. Each type of group suited for a different purpose.
Note:
If you are creating a hierarchy of groups, be sure that it is a true hierarchy as described in "Hierarchies".See Also:
"Security Groups" for instructions on setting access control policies for group entries
Globalization Support and Chapter 28, "Managing Directory Access Control" for information about access privileges
This section contains these topics:
A static group is one whose entry contains a list of members that you explicitly administer.
A static group requires you to explicitly administer its membership. For example, if a member changes his name, then you must change that user's DN for each group he belongs to. For this reason, a static group is best suited for a group whose membership is unlikely to change frequently.
When you create the entry for this kind of group, you associate it with either the groupOfNames or groupOfUniqueNames object class.
Each of these object classes has a multivalued attribute for storing the names of group members. To assign a user as a member of a group, you add the DN of each member to the respective multivalued attribute. Conversely, to remove a member from a group, you delete the member's DN from the respective attribute. In the groupOfNames object class, this multivalued attribute is member, and, in the groupOfUniqueNames object class, it is uniqueMember.
A dynamic group is one whose membership, rather than being maintained in a list, is computed, based on rules and assertions you specify. As of Oracle Internet Directory 10g (10.1.4.0.1), dynamic groups based on labeleduri attributes are cached.
By cached, we mean that dynamic group members are computed when the dynamic group is added, and that the member list is kept consistent when the dynamic group is later modified. As entries are added, modified, deleted, and renamed, the member lists of all dynamic groups are kept consistent. For example, if there is a dynamic group containing all person entries under "c=us", when we add "cn=user1,c=us", that entry is automatically added to the member list of the dynamic group. Similarly, when we delete "cn=user1,c=us", the entry is removed from the dynamic group's member list. This feature ensures that whenever a search is performed for a dynamic group, the member list can be returned without any additional computation. The search performance for dynamic groups using labeleduri is now almost the same as for static groups.
Dynamic groups can have static and dynamic members. The static members are listed as values of the member or uniquemember attribute.
Notes:
Only dynamic groups based on labeleduri attributes are cached. Dynamic groups based on CONNECT_BY assertion are not cached.
You cannot add a dynamic group based on the labeledURI attribute with scope base. Only scope sub and one are supported.
To refresh dynamic group memberships, set the attribute orclrefreshdgrmems in the DSA Configuration entry to 1. Oracle Internet Directory recomputes the member lists for all dynamic groups and resets the value of orclrefreshdgrmems to 0. If there are many groups, this operation can take a long time to complete.
When you query for the groups that a user belongs to, dynamic groups based on the labeledURI attribute are automatically included in the result. Dynamic groups based on the CONNECT_BY assertion have to be explicitly queried.
See Also:
"About LDAP Controls" in Oracle Fusion Middleware User Reference for Oracle Identity Management for more information on controls used by Oracle Internet Directory
The C API chapter in Oracle Fusion Middleware Application Developer's Guide for Oracle Identity Management
Performing Hierarchical Searches in Oracle Fusion Middleware Application Developer's Guide for Oracle Identity Management
In Oracle Internet Directory 10g (10.1.4.1) and later releases, you can use dynamic groups in the same ways you use static groups. For example, you can use them in:
Access control lists, by associating the group with either the orclACPgroup or the orclPrivilegeGroup object class.
Hierarchical group resolution queries
Dynamic groups have the following limitations in Oracle Internet Directory:
Only dynamic groups based on labeleduri attributes are cached. Dynamic groups based on CONNECT_BY assertions are not cached.
Hierarchical queries and queries involving specific attributes of members can only be done on cached dynamic groups.
Dynamic groups can only be added using ldapadd or ODSM. They cannot be added by using bulkload.
If the catalog tool is used to drop and re-create the ct_member or ct_uniquemember catalog tables, the dynamic group member lists must be recomputed by setting the orclrefreshdgrmems attribute of the DSA Configuration entry to 1 using ldapmodify.
The attributes used in the LDAP filter part of the labeleduri must be indexed. See "Creating and Dropping Indexes from Existing Attributes by Using catalog" and "About Indexing Attributes".
When you create a dynamic group, you begin as when creating a static group—that is, you associate its entry with either the groupOfNames or groupOfUniqueNames object class. You then associate that object class with the auxiliary object class orclDynamicGroup. This auxiliary object class has various attributes in which you specify one of two methods for dynamically computing the membership of the group.
The two methods are:
Using the labeledURI attribute
When using this method, the directory server performs a typical search based on the hierarchy of the DIT. It requires you to provide a value for one of the attributes of the orclDynamicGroup object class, namely labeledURI. In this attribute, you specify the base of the query, the filters, and any required attributes. For example, suppose that you have entered the following value for the labeledURI attribute:
labeledURI:ldap://host:port/ou=NewUnit,o=MyCompany,c=US??sub?(objectclass=person)
When you use this method, a search for the entry returns entries for all members of the group.
Do not set orclConnectByAttribute or orclConnectByStartingValue when using the labeledURI attribute method.
Note:
In the labeledURI attribute, thehost:port section is present for syntax purposes alone. Irrespective of the host and port settings in the labeledURI attribute, the directory server always computes members of dynamic group from the local directory server. It cannot retrieve members from other directory servers.See Also:
"The LDAP URL Format" (RFC 2255). T. Howes, M. Smith, December 1997. This RFC provides more information about how LDAP URLs are to be represented—as, for example, in thelabeledURI attribute. It is available on the World Wide Web at http://www.ietf.org.Unlike the previous method, this method relies not on the hierarchy of the DIT, but on attributes that implicitly connect entries to each other, regardless of their location in the DIT. For example, the manager attribute connects the entries of employees with those of their managers, and this connection applies regardless of the location of the employee entries in the DIT. This method uses a CONNECT BY clause in which you specify the attribute to use for building the hierarchy—for example, manager—and the starting value for such a hierarchy—for example, cn=Anne Smith,cn=users,dc=example,dc=com.
See Also:
Performing Hierarchical Searches in Oracle Fusion Middleware Application Developer's Guide for Oracle Identity ManagementMore specifically, to use this method, you specify in the orclDynamicGroup object class a value for each of the single-valued attributes in Table 15-1.
Table 15-1 orclDynamicGroup Attributes for "Connect By" Assertions
| Attribute | Description |
|---|---|
|
orclConnectByAttribute |
The attribute that you want to use as the filter for the query—for example, |
|
orclConnectByStartingValue |
The DN of the attribute you specified in the |
Do not set labeledURI when using the CONNECT BY assertion method.
For example, to retrieve the entries of all employees who report to Anne Smith in the MyOrganizational Unit in the Americas, you would provide values for these attributes as follows:
orclConnectByAttribute=manager orclConnectByStartingValue= "cn=Anne Smith,ou=MyOrganizationalUnit,o=MyCompany,c=US"
You can also develop an application specifying that you want the values for a particular attribute—for example, the email attribute—of all the members.
See Also:
Oracle Fusion Middleware Application Developer's Guide for Oracle Identity Management for more information about how to develop applications that retrieve values for particular attributesThe following examples show the two kinds of dynamic group entries.
Example: a Dynamic Group Entry Using the labeledURI Attribute
The following is an example of a dynamic group entry using the labeledURI attribute.
dn: cn=dgroup1 cn: dgroup1 description: this is an example of a dynamic group labeleduri:ldap://hostname:7777/ou=oid,l=amer,dc=oracle, dc=dgrptest??sub?objectclass=person objectclass: orcldynamicgroup objectclass: groupOfUniqueNames objectclass: top
This group will have uniquemember values that are the DNs of all entries associated with the object class person in the subtree ou=oid,l=amer,dc=oracle,dc=dgrptest.
Example: a Dynamic Group Entry Using the CONNECT BY Assertion
The following is an example of a dynamic group entry that uses the CONNECT_BY assertion.
dn: cn=dgroup2 cn: dgroup2 description: this is connect by manager assertion dynamic group orclconnectbyattribute: manager orclconnectbystartingvalue: cn=john doe sr,l=amer,dc=oracle,dc=dgrptest objectclass: orcldynamicgroup objectclass: groupOfUniqueNames objectclass: top
This dynamic group has unique members with values that are DNs of all the entries whose manager attribute is cn=john doe sr. either indirectly or directly. If several individuals have cn=john doe JR. as their manager, and he, in turn, has cn=john doe SR. as his manager, then all the lower-level individuals are returned.
Hierarchies can be either explicit or implicit.
In explicit hierarchies, the relationship is determined by the location of the entry in the DIT—for example, Group A may reside higher in the DIT than Group B.
In implicit hierarchies, the relationship between entries is determined not by the location in the DIT, but by the values of certain attributes. For example, suppose that you have a DIT in which the entry for John Doe is at the same level of the hierarchy as Anne Smith. However, suppose that, in the entry for John Doe, the manager attribute specifies Anne Smith as his manager. In this case, although their locations in the DIT are at an equal level, their rankings in the hierarchy are unequal because Anne Smith is specified as John Doe's manager.
Note:
If you create a hierarchical group, be sure that it is truly hierarchical. For example, in a true hierarchy, Group A can be a member of Group B, but Group B cannot at the same time be a member of Group A. Because the latter relationship is cyclical, a search for the members of Group A fails.In a query based on an implicit hierarchy, the client can specify in the search request the control 2.16.840.1.113894.1.8.3. The filter in this query specifies the attribute used to build the implicit hierarchy. For example, (manager=cn=john doe, o=foo) specifies the query for all people reporting directly or indirectly to John Doe. The implicit hierarchy is based on the manager attribute. The base of the search is ignored for such queries.
For more information on controls used by Oracle Internet Directory, see "About LDAP Controls" in Oracle Fusion Middleware User Reference for Oracle Identity Management.
See Also:
The C API chapter in Oracle Fusion Middleware Application Developer's Guide for Oracle Identity ManagementAn application can query either kind of group to do the following:
List all members of a group
List all groups of which a user is a member
Check to see if a user is a member of a particular group
In addition, you can query dynamic groups, but not static ones, for whatever member attributes you specify.
When deliberating about which kind of group to use, you must weigh the ease of administration against higher performance. For example, dynamic groups provide for easier administration, but cause a decrease in performance. Table 15-2 lists some things to consider when deliberating whether to use static or dynamic groups.
Table 15-2 Static and Dynamic Group Considerations
| Consideration | Static Groups | Dynamic Groups |
|---|---|---|
|
Ease of administration |
More difficult to administer if group memberships are large and change frequently |
Easier to use, especially when group memberships are large and change frequently |
|
Performance |
Higher level of performance because you explicitly administer the membership list |
Slightly decreased level of performance with |
You can manage static and dynamic group entries by using the Data Browser page in Oracle Directory Services Manager. You can display group entries, search for groups, and view groups using the procedures described in "Managing Entries by Using Oracle Directory Services Manager". The procedures for creating and modifying groups are described in this section. This section contains the following topics:
Creating Static Group Entries by Using Oracle Directory Services Manager
Modifying a Static Group Entry by Using Oracle Directory Services Manager
Creating Dynamic Group Entries by Using Oracle Directory Services Manager
Modifying a Dynamic Group Entry by Using Oracle Directory Services Manager
If the static group entry belongs to the groupOfNames object class, then you determine membership in the group by adding DNs to the multivalued attribute member. If the entry belongs to the groupOfUniqueNames object class, then you determine membership in the group by adding DNs to the multivalued attribute uniqueMember.
To add a static group entry:
Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in "Invoking Oracle Directory Services Manager".
From the task selection bar, select Data Browser.
On the toolbar, choose the Create a new entry icon. Alternatively, right click any entry and choose Create.
You can, alternatively, select a group that is similar to the one you want to create, then choose the Create a new entry like this one icon. Alternatively, right click any entry and choose Create.
The Create New Entry wizard appears.
Specify the object classes for the new entry. Click the Add icon and use the Add Object Class dialog to select either groupOfNames or groupOfUniqueNames. (All the superclasses from this object class through top are also added.)
Click OK.
In the Parent of the entry field, you can specify the full DN of the parent entry of the entry you are creating. You can also click Browse to locate and select the DN of the parent for the entry you want to add, then click Select.
If you leave the Parent of the entry field blank, the entry is created under the root entry.
Click Next.
Choose an attribute which will be the Relative Distinguished Name value for this entry and enter a value for that attribute. You must enter a value for the cn attribute, even if it is not the RDN value.
Click Next. The next page of the wizard appears. (Alternatively, you can click Back to return to the previous page.)
Click Finish.
To add an owner or member, navigate to the group entry you just created in the Data Tree.
Select the Group tab.
To add an owner to the group, click the Add icon next to the Owner box.
Select the entry you want to add as owner (usually a user or group entry) in the Select Distinguished Name Path dialog.
Click OK.
To add a member to the group, click the Add icon next to the Members text box
Select the entry you want to add as a member (usually a user or group entry) in the Select Distinguished Name Path dialog.
Click OK.
Optionally, enter a description for the entry.
Choose Apply to apply your changes or choose Revert to abandon your changes.
To make other changes to the group entry, see "Modifying a Static Group Entry by Using Oracle Directory Services Manager"
To modify an attribute, such as the member list, for a group entry:
Select the group in the data tree.
To add or delete an owner or member, select the Group tab or the Attributes tab.
To add a member to the group, click the Add icon next to the Members text box.
Select the entry you want to add as a member (usually a user or group entry) in the Select Distinguished Name Path dialog.
Click OK.
To add an owner to the group, click the Add icon next to the Owners text box.
Select the entry you want to add as an owner (usually a user or group entry) in the Select Distinguished Name Path dialog
Click OK.
To delete an owner or member, select it in the list and click the Delete icon.
To add or modify an attribute other than an owner or member, select the Attributes tab.
By default, only non-empty attributes are shown. You can switch between Managed Attributes and Show All by using the Views list.
To change the list of attributes shown as managed attributes, click the icon under Optional Attributes. Select attributes you want to move from the All Attributes list to the Shown Attributes lists and use the Move and Move All arrows to move the attributes. Select attributes you want to move from the shown Attributes list to the All Attributes lists and use the Remove and Remove All arrows to move the attributes. Click Add Attributes to make your changes take effect or click Cancel to discard your changes. After you click Add Attributes, only the attributes that were on the Shown Attributes list are shown in the Managed Attributes view.
Specify values for the optional properties. You can also modify the values of the mandatory properties. For multivalued attributes, you can use the Add and Delete icons to add and delete multiple values.
Click Apply to save your changes or Revert to discard them.
You can set an access control point (ACP) on this entry by using the Subtree Access and Local Access tabs. The procedures are described in "Adding or Modifying an ACP by Using the Data Browser in ODSM" and "Setting or Modifying Entry-Level Access by Using the Data Browser in ODSM".
Dynamic groups can have static and dynamic members. The static members are listed as values of the member or uniquemember attribute. If the dynamic group entry belongs to the groupOfNames object class, then add static members to the group by adding DNs to the multivalued attribute member. If the dynamic group entry belongs to the groupOfUniqueNames object class, then add static members to the group by adding DNs to the multivalued attribute uniqueMember.
For dynamic groups, you must also set attributes to specify how the group membership is computed. You must choose either the labeledURI or the CONNECT BY method for dynamically computing membership in the group. You cannot use both methods. If you are using the labeledURI method, you must set the labeledURI attribute, but not the orclConnectByAttribute and orclConnectByStartingValue attributes. If you are using the CONNECT BY method, you must set the orclConnectByAttribute and orclConnectByStartingValue attributes, but not the labeledURI attribute.
To add a dynamic group entry:
Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in "Invoking Oracle Directory Services Manager".
From the task selection bar, select Data Browser.
On the toolbar, choose Create a new entry. The Create New Entry wizard appears.
Specify the object classes for the new entry. Select at least the following object class entries.
Click the Add icon and use the Add Object Class dialog to select object class entries. Optionally, use the search box to filter the list of object classes. To add the object class, select it and then click OK. (All the superclasses from this object class through top are also added.)
In the Parent of the entry field, you can specify the full DN of the parent entry of the entry you are creating. You can also click Browse to locate the DN of the parent for the entry you want to add, then click Select.
If you leave the Parent of the entry field blank, the entry is created under the root entry.
Click Next.
Choose an attribute which will be the Relative Distinguished Name value for this entry and enter a value for that attribute. You must enter a value for the cn attribute, even if it is not the RDN value.
Click Next. The next page of the wizard appears. (Alternatively, you can click Back to return to the previous page.)
Click Finish.
To add an owner or member, navigate to the group entry you just created in the Data Tree. (You might have to click the Refresh icon to see the new entry).
Select the Group tab.
To add an owner to the group, click the Add icon next to the Owner box.
Select the entry you want to add as owner (usually a user or group entry) in the Select Distinguished Name Path dialog.
Click OK.
To add a member to the group, click the Add icon next to the Members text box
Select the entry you want to add as a member (usually a user or group entry) in the Select Distinguished Name Path dialog.
Click OK.
Optionally, enter a description for the entry.
Choose Apply to apply your changes or choose Revert to abandon your changes.
Select the Attributes tab.
You can switch between Managed Attributes and Show All by using the Views list.
To change the list of attributes shown as managed attributes, click the icon under Optional Attributes. Select attributes you want to move from the All Attributes list to the Shown Attributes lists and use the Move and Move All arrows to move the attributes. Select attributes you want to move from the shown Attributes list to the All Attributes lists and use the Remove and Remove All arrows to move the attributes. Click Add Attributes to make your changes take effect or click Cancel to discard your changes. After you click Add Attributes, only the attributes that were on the Shown Attributes list are shown in the Managed Attributes view.
If you are using the labeledURI method for dynamically computing membership in the group, you must set the labeledURI attribute, but not the orclConnectByAttribute and orclConnectByStartingValue attributes. In the Attributes tab page, in the labeledURI field, specify the following:
ldap:ldap_URL
For example:
ldap://my_host:3000/ou=MyNeworganizationalUnit, o=MyCompany,c=US??sub?(objectclass=person)
If you are using the CONNECT BY method for dynamically computing membership in the group, you must set the orclConnectByAttribute and orclConnectByStartingValue attributes, but not the labeledURI attribute. In the orclConnectByAttribute field, specify the attribute that you want to use as the filter for the query—for example, manager. In the orclConnectByStartingValue field, specify the DN of the attribute you specified in the orclConnectByAttribute attribute—for example, cn=Anne Smith.
For information about specifying the other attributes that appear in the Attributes tab page, see "User and Group Schema Elements" in Oracle Fusion Middleware User Reference for Oracle Identity Management.
Click Apply to save your changes or Revert to discard them.
You can set an access control point (ACP) on this entry by using the Subtree Access and Local Access tabs. The procedures are described in "Adding or Modifying an ACP by Using the Data Browser in ODSM" and "Setting or Modifying Entry-Level Access by Using the Data Browser in ODSM".
Remember that you must choose either the labeledURI or the CONNECT BY method for dynamically computing membership in the group. You cannot use both methods. If you are using the labeledURI method, you must set the labeledURI attribute, but not the orclConnectByAttribute and orclConnectByStartingValue attributes. If you are using the CONNECT BY method, you must set the orclConnectByAttribute and orclConnectByStartingValue attributes, but not the labeledURI attribute.
To modify an attribute for a dynamic group entry, proceed as for a static group entry, as described in "Modifying a Static Group Entry by Using Oracle Directory Services Manager". You can add static members to a dynamic group, but you are not required to do so.
You can manage static and dynamic groups from the command line by using LDAP tools. This section contains the following topics:
Note:
When you create a group, specifying members is optional and is shown here for the sake of completeness.
It is uncommon to have dynamic groups with static membership.
The syntax for the LDIF file is:
dn: DN_of_group_entry objectclass: top objectclass: groupOfNames | groupOfUniqueNames member: DN of member 1 member: DN of member 2 . . . member: DN of member N
The following command adds the group and members in this LDIF file to the directory:
ldapadd -p port_number -h host -D cn=orcladmin -q -f file_name.ldif
Example: Creating a Static Group Entry by Using ldapadd The following example shows an LDIF file named myStaticGroup.ldif for the entry for a group named MyStaticGroup:
dn: cn=myStaticGroup,c=us objectclass: top objectclass: groupOfNames member: cn=John Doe member: cn=Anne Smith
The following command adds the group and members in this LDIF file to the directory:
ldapadd -p 3060 -h myhost -D cn=orcladmin -q -f myStaticGroup.ldif
To add a member to a group, the syntax of the LDIF file is:
dn: DN_of_group_entry changetype: modify add: member member: DN of member entry
To delete a member from a group, the syntax of the LDIF file is:
dn: DN of group entry changetype: modify delete:member member:DN of member entry
Issue this command to modify the file:
ldapmodify -D "cn=orcladmin" -q -p 3060 -v -f file_name.ldif
where -v specifies verbose mode.
Example: Modifying a Static Group by Using ldapmodify The following example adds John Doe to a group named MyStaticGroup. As in the previous example, the data for this user entry is in the myStaticGroup.ldif file. This file contains the following:
dn: cn=myStaticGroup,c=us changetype: modify add:member member: cn=John Doe
Issue this command to modify the file:
ldapmodify -D "cn=orcladmin" -q -p 3060 -v -f myStaticGroup.ldif
where -v specifies verbose mode.
Note:
When you add or modify an entry, the Oracle directory server does not verify the existence of the entry. However, if the attribute value must contain a DN, then the directory server verifies that the DN is specified.If you use the labeledURI attribute, then the syntax for the LDIF file is:
dn: DN_of_group_entry objectclass: top objectclass: groupOfNames | groupOfUniqueNames objectclass: orcldynamicgroup labeledURI:ldap:ldap_URL member: DN of member 1 member: DN of member 2 . . . member: DN of member N
The following command adds the group and members in this LDIF file to the directory:
ldapadd -p port_number -h host -f file_name.ldif
If you use the CONNECT BY string, then the syntax for the LDIF file is:
dn: DN_of_group_entry objectclass: top objectclass: groupOfNames | groupOfUniqueNames objectclass: orclDynamicGroup orclConnectByAttribute:attribute_name orclConnectByStartingValue:DN_of_attribute member: DN of member 1 member: DN of member 2 . . . member: DN of member N
When specifying entries in this syntax, do not use double quotes around distinguished names.
The following example shows an LDIF file for the entry for a dynamic group:
dn: cn=myDynamicGroup,c=us objectclass: top objectclass: groupOfNames objectclass: orcldynamicgroup labeledURI:ldap://my_host:3000/ou=MyNeworganizationalUnit, o=MyCompany,c=US??sub?(objectclass=person) member: cn=John Doe member: cn=Anne Smith
The following command adds this LDIF file to the directory:
ldapadd -p 3060 -h myhost -f myDynamicGroup.ldif
To change the organizational unit of the group created in the previous example, the syntax of the LDIF file is:
dn: DN_of_group_entry
changetype: modify
replace:labeledURI
labeledURI:ldap://my_host:3000/
ou=MyNeworganizationalUnit,o=MyCompany,c=US??sub?(objectclass=person)
Note:
When you add or modify an entry, the Oracle directory server does not verify the syntax of the attribute values in the entry.
|
 Copyright © 1999, 2009, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|