Table of Contents
Advertisement
The mapping from an ACL to an LDAP database is defined both in the
configuration file (which associates the ACL database names with
dbswitch.conf
actual LDAP database URLs) and the ACL file (which defines which databases are
to be used for which ACL). For example, if you want base access rights on
membership in a group named "staff," the ACL code looks up an object that has an
object class of
groupOf <anything>
members of the group, either by explicitly enumerating the member DNs (as is
done for
groupOfUniqueNames
example,
groupOfURLs
Groups Can Be Static and Dynamic
A group object can have both
objectclass = groupOfURLs
attributes are valid. The group's membership is the union of its static and dynamic
members.
Dynamic Group Impact on Server Performance
There is a server performance impact when using dynamic groups. If you are
testing group membership, and the DN is not a member of a static group,
Enterprise Server checks all dynamic groups in the database's baseDN. Enterprise
Server accomplishes this task by checking if each
its baseDN and scope against the DN of the user, and then performing a base
search using the user DN as baseDN and the filter of the
procedure can amount to a large number of individual searches.
Guidelines for Creating Dynamic Groups
Consider the following guidelines when using the Administration Server forms to
create new dynamic groups:
•
Dynamic groups can not contain other groups.
•
Enter the group's LDAP URL using the following format (without
info, since these parameters are ignored):
port
ldap:///<basedn>?<attributes>?<scope>?<(filter)>
The required parameters are described in the following table:
and a CN set to "staff." The object defines the
for static groups), or by specifying LDAP URLs (for
).
objectclass = groupOfUniqueMembers
; therefore, both "
" and "
uniqueMember
matches by checking
memberURL
. This
memberURL
Chapter 4
Managing Users and Groups
Creating Groups
and
"
memberURL
and
host
75
Advertisement
Table of Contents
