ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahy_5.4.0.1/rzahydynamicgp.htm

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights                   -->
<!-- Use, duplication or disclosure restricted by            -->
<!-- GSA ADP Schedule Contract with IBM Corp.                -->
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<title>Directory Server (LDAP) - Dynamic groups</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link --> 
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>


<a name="rzahydynamicgp"></a>
<h4 id="rzahydynamicgp">Dynamic groups</h4>
<p>A dynamic group defines its members differently than a static group. Instead
of listing them individually, the dynamic group defines its members using
an LDAP search. The dynamic group uses the structural objectclass <span class="bold">groupOfURLs</span> (or auxiliary objectclass <span class="bold">ibm-dynamicGroup</span>) and the attribute, <span class="bold">memberURL</span> to define
the search using a simplified LDAP URL syntax. </p>
<pre class="xmp"> ldap:///&lt;<span class="italic">base DN of search</span>> ? ? &lt;<span class="italic">scope of search</span>> ? &lt;<span class="italic">searchfilter</span>></pre>
<a name="wq50"></a>
<div class="notetitle" id="wq50">Note:</div>
<div class="notebody">As the example illustrates, the host name must not be
present in the syntax. The remaining parameters are just like normal ldap
URL syntax. Each parameter field must be separated by a ?, even if no parameter
is specified.  Normally, a list of attributes to return would be included
between the base DN and scope of the search. This parameter is also not used
by the server when determining dynamic membership, and can be omitted, however,
the separator <span class="bold">?</span> must still be present.</div><p class="indatacontent">where:</p>
<dl>
<dt class="bold">base DN of search</dt>
<dd>Is the point from which the search begins in the directory.
It can be the suffix or root of the directory such as <span class="bold">ou=Austin</span>. This parameter is required.
</dd>
<dt class="bold">scope of search</dt>
<dd>Specifies the extent of the search. The default scope is base.
<dl>
<dt class="bold">base</dt>
<dd>Returns information only about the base DN specified in the
URL
</dd>
<dt class="bold">one</dt>
<dd>Returns information about entries one level below the base
DN specified in the URL. It does not include the base entry.
</dd>
<dt class="bold">sub</dt>
<dd>Returns information about entries at all levels below and
includes the base DN.
</dd>
</dl>
</dd>
<dt class="bold">searchfilter</dt>
<dd>Is the filter that you want to apply to the entries within the scope
of the search. See <a href="rzahyldapsrch.htm#filterdef">the ldapsearch filter option</a> for information about the syntax
of the searchfilter. The default is objectclass=*
</dd>
</dl>
<p>The search for dynamic members is always internal to the server, so unlike
a full ldap URL, a host name and port number is never specified, and the protocol
is always <span class="bold">ldap</span> (never <span class="bold">ldaps</span>). The <span class="bold">memberURL</span> attribute can contain
any kind of URL, but the server only uses <span class="bold">memberURL</span>s beginning with<span class="bold"> ldap:///</span> to determine
dynamic membership.</p>
<p><span class="bold">Examples</span></p>
<p>A single entry in which the scope defaults to base and the filter defaults
to objectclass=*:</p>
<pre class="xmp">ldap:///cn=John Doe, cn=Employees, o=Acme, c=US</pre><p class="indatacontent">All entries that are 1-level below cn=Employees, and the filter defaults
to objectclass=*:</p>
<pre class="xmp">ldap:///cn=Employees, o=Acme, c=US??one</pre><p class="indatacontent">All
entries that are under o-Acme with the objectclass=person:</p>
<pre class="xmp">ldap:///o=Acme, c=US??sub?objectclass=person</pre>
<p>Depending on the object classes you use to define user entries, those entries
might not contain attributes which are appropriate for determining group membership.
You can use the auxiliary object class, <span class="bold">ibm-dynamicMember</span>, to extend your user entries to include the <span class="bold">ibm-group</span> attribute. This attribute allows you to add arbitrary values
to your user entries to serve as targets for the filters of your dynamic groups.
For example:</p>
<p>The members of this dynamic group are entries directly under the cn=users,ou=Austin
entry that have an ibm-group attribute of GROUP1:</p>
<pre class="xmp">dn: cn=GROUP1,ou=Austin
 objectclass: groupOfURLs
 cn: GROUP1
 memberURL: ldap:///cn=users,ou=Austin??one?(ibm-group=GROUP1)</pre><p class="indatacontent">Here is
an example member of cn=GROUP1,ou=Austin: </p>
<pre class="xmp">dn: cn=Group 1 member, cn=users, ou=austin
 objectclass: person
 objectclass: ibm-dynamicMember
 sn: member
 userpassword: memberpassword
 ibm-group: GROUP1</pre>
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>