Netscape DIRECTORY SERVER 6.2 - ADMINISTRATOR Administrator's Manual page 167

• Remove a particular role from a given entry.
You can do everything you would normally do with static groups with managed
roles, and you can filter members using filtered roles as you used to do with
dynamic groups. Roles are easier to use than groups, more flexible in their
implementation, and reduce client complexity.
However, evaluating roles is more resource intensive because the server does the
work for the client application. With roles, the client application can check role
membership by searching the
attributed that is not stored with the entry itself, which identifies which roles an
entry belongs to. From the client application point of view, the method for
checking membership is uniform and is performed on the server side.
Each role has members, or entries that possess the role. You can specify members
either explicitly or dynamically. How you specify role membership depends upon
the type of role you are using. Directory Server supports three types of roles:
• Managed roles—A managed role allows you to create an explicit enumerated
list of members.
• Filtered roles—A filtered role allows you to assign entries to the role
depending upon the attribute contained by each entry. You do this by
specifying an LDAP filter. Entries that match the filter are said to possess the
role.
• Nested roles—A nested role allows you to create roles that contain other roles.
For more information about how roles work, refer to Netscape Directory Server
Deployment Guide.
The concept of activating/inactivating roles is introduced to enable you to
activate/inactivate groups of entries in just one operation. That is, you can
temporarily disable the members of a role by inactivating the role to which they
belong.
When a role is said to be inactivated, it does not mean that you cannot bind to the
server using that role entry. The meaning of an inactivated role is that you cannot
bind to the server using any of the entries that belong to that role—the entries that
belong to an inactivated role will have the
In the case of the nested role, an inactivated nested role means that you cannot bind
to the server using an entry that belongs to a role that is a member of the nested
role. All the entries that belong to a role that directly or indirectly are members of
the nested role (one may have several levels of nested roles) will have
set to
nsaccountlock
attribute. The
nsRole
nsaccountlock
.
true
attribute is a computed
nsRole
attribute set to
Chapter 5 Advanced Entry Management
Using Roles
.
true
167