Table of Contents
Advertisement
The DNs are included automatically, without your having to add each individual
to the group. The group changes dynamically, because Enterprise Server performs
an LDAP server search each time a group lookup is needed for ACL verification.
The user and group names used in the ACL file correspond to the
the objects in the LDAP database.
NOTE
Enterprise Server uses the cn (commonName) attribute as group name for
ACLs.
The mapping from an ACL to an LDAP database is defined both in the
configuration file (which associates the ACL database names with
dbswitch.conf
actual LDAP database URLs) and the ACL file (which defines which databases are
to be used for which ACL). For example, if you want base access rights on
membership in a group named "staff," the ACL system looks up an object that has
an object class of
groupOf<anything>
the members of the group, either by explicitly enumerating the member DNs (as is
done for
groupOfUniqueNames
example,
groupOfURLs
Groups Can Be Static and Dynamic
A group object can have both
objectclass = groupOfURLs
attributes are valid. The group's membership is the union of its static and dynamic
members.
Dynamic Group Impact on Server Performance
There is a server performance impact when using dynamic groups. If you are
testing group membership, and the DN is not a member of a static group,
Enterprise Server checks all dynamic groups in the database's baseDN. Enterprise
Server accomplishes this task by checking if each
its baseDN and scope against the DN of the user, and then performing a base
search using the user DN as baseDN and the filter of the
procedure can amount to a large number of individual searches.
Guidelines for Creating Dynamic Groups
Consider the following guidelines when using the Enterprise Server
Administration Server forms to create new dynamic groups:
•
Dynamic groups can not contain other groups.
and a CN set to "staff." The object defines
for static groups), or by specifying LDAP URLs (for
).
objectclass = groupOfUniqueMembers
; therefore, both "
cn
" and "
uniqueMember
matches by checking
memberURL
. This
memberURL
Chapter 4
Managing Users and Groups
Creating Groups
attribute of
and
"
memberURL
73
Advertisement
Table of Contents
