Static and Dynamic Groups

                                                                                                                                                                                                                                                                                                                                      *Back to [[Book|Administrator's Guide#ag]]     [[Topic|Administrator's Guide#cht8]]*
h2. Static and Dynamic Groups

A group is a set of objects in an LDAP database. In Web Server 7.0 a group consists of users who share a common attribute. For example, the set of objects might be the number of employees who work in the marketing division of your company. These employees might belong to a group called Marketing.

For LDAP services, there are two ways to define membership of a group: statically and dynamically. Static groups enumerate their member objects explicitly. A static group is a CN and contains {{uniqueMembers}} and/or {{memberURLs}} and/or {{memberCertDescriptions}}. In static groups, the members do not share a common attribute except for the {{CN=<Groupname>}} attribute.

Dynamic groups allow you to use a LDAP URL to define a set of rules that match only for group members. In Dynamic Groups, the members do share a common attribute or set of attributes that are defined in the {{memberURL}} filter. For example, if you need a group that contains all employees in Sales, and they are already in the LDAP database under

“{{ou=Sales,o=Airius.com}},” you’d define a dynamic group with the following {{memberurl}}:

{{ldap:///ou=Sales,o=Airius.com??sub?(uid=*)}}

This group would subsequently contain all objects that have an {{uid}} attribute in the tree below the “{{ou=Sales,o=sun}}” point; thus, all the Sales members.

For static and dynamic groups, members can share a common attribute from a certificate if you use the {{memberCertDescription}}. Note that these attributes will only work if the ACL uses the SSL method.

Once you create a new group, you can add users, or members, to it.

The following topics are discussed in this section:

{toc-zone:maxLevel=3|type=list|location=top}

h3. Static Groups

For LDAP services, the Administration Server enables you to create a static group by specifying the same group attribute in the DNs of any number of users. A static group does not change unless you add a user to it or delete a user from it.

h4. Guidelines for Creating Static Groups

Consider the following guidelines when using the Administration Server forms to create new static groups:
* Static groups can contain other static or dynamic groups.
* You can optionally also add a description for the new group.
* If any organizational units have been defined for your directory, you can specify where you want the new group to be placed using the Add New Group To list. The default location is your directory’s root point, or topmost entry.

h3. Dynamic Groups

A dynamic group has an {{objectclass}} of {{groupOfURLs}}, and has zero or more {{memberURL}} attributes, each of which is a LDAP URL that describes a set of objects.

For LDAP services, Web Server enables you to create a dynamic group when you want to group users automatically based on any attribute, or when you want to apply ACLs to specific groups which contain matching DNs. For example, you can create a group that automatically includes any DN that contains the attribute {{department=marketing}}. If you apply a search filter for department=marketing, the search returns a group including all DNs containing the attribute {{department=marketing}}. You can then define a dynamic group from the search results based on this filter. Subsequently, you can define an ACL for the resulting dynamic group.

The following topics are discussed in this section:
{toc-zone:maxLevel=4|type=list|location=top}

h4. How Web Server Implements Dynamic Groups

Web Server implements dynamic groups in the LDAP server schema as {{objectclass = groupOfURLs}}. A {{groupOfURLS}} class can have multiple {{memberURL}} attributes, each one consisting of an LDAP URL that enumerates a set of objects in the directory. The members of the group would be the union of these sets. For example, the following group contains just one member URL:
{code}
ldap:///o=mcom.com??sub?(department=marketing)
{code}

This example describes a set that consists of all objects below "{{o=mcom.com}}" whose department is "marketing." The LDAP URL can contain a search base DN, a scope and filter, however, not a hostname and port. This means that you can only refer to objects on the same LDAP server. All scopes are supported.

The DNs are included automatically, without your having to add each individual to the group. The group changes dynamically, because Web Server performs an LDAP server search each time a group lookup is needed for ACL verification. The user and group names used in the ACL file correspond to the cn attribute of the objects in the LDAP database.

{info:title=Note - }Web Server uses the {{cn (commonName)}} attribute as group name for ACLs.
{info}

The mapping from an ACL to an LDAP database is defined both in the {{dbswitch.conf}} configuration file (which associates the ACL database names with actual LDAP database URLs) and the ACL file (which defines which databases are to be used for which ACL). For example, if you want base access rights on membership in a group named "staff," the ACL code looks up an object that has an object class of {{groupOf<anything>}} and a CN set to "{{staff}}." The object defines the members of the group, either by explicitly enumerating the member DNs (as is done for {{groupOfUniqueNames}} for static groups), or by specifying LDAP URLs (for example, {{groupOfURLs}}).

There is a server performance impact when using dynamic groups. If you are testing group membership, and the DN is not a member of a static group, Web Server checks all dynamic groups in the database’s baseDN. Web Server accomplishes this task by checking if each {{memberURL}} matches by checking its baseDN and scope against the DN of the user, and then performing a base search using the user DN as baseDN and the filter of the {{memberURL}}. This procedure can amount to a large number of individual searches.

h4. Guidelines for Creating Dynamic Groups

Consider the following guidelines when using the Administration Server to create new dynamic groups:
* Dynamic groups cannot contain other groups.
* Enter the group’s LDAP URL using the following format (without host and port info, since these parameters are ignored):
{code}
ldap:///<basedn>?<attributes>?<scope>?<(filter)>
{code}
The required parameters are described in the following table:

Table&nbsp;8-1 Dynamic Groups: Required Parameters
||Parameter Name ||Description ||
|{{&lt;base_dn>}}|The Distinguished Name (DN) of the search base, or point from which all searches are performed in the LDAP directory. This parameter is often set to the suffix or root of the directory, such as "{{o=mcom.com}}".|
|{{&lt;attributes>}} |A list of the attributes to be returned by the search. To specify more than one, use commas to delimit the attributes (for example, "{{cn,mail,telephoneNumber}}"); if no attributes are specified, all attributes are returned. Note that this parameter is ignored for dynamic group membership checks.|
|{{&lt;scope>}} |The scope of the search, which can be one of these values:
* {{base}} retrieves information only about the distinguished name {{(&lt;base_dn>)}} specified in the URL.
* {{one}} retrieves information about entries one level below the distinguished name {{(&lt;base_dn>)}} specified in the URL. The base entry is not included in this scope.
* {{sub}} retrieves information about entries at all levels below the distinguished name {{(&lt;base_dn>)}} specified in the URL. The base entry is included in this scope.
This parameter is required. |
|{{&lt;(filter)>}} |Search filter to apply to entries within the specified scope of the search. If you are using the Administration Server forms, you must specify this attribute. Note that the parentheses are required. This parameter is required.|

Note that the {{&lt;attributes>}}, {{&lt;scope>}}, and {{&lt;(filter)>}} parameters are identified by their positions in the URL. If you do not want to specify any attributes, you still need to include the question marks delimiting that field.
* You can optionally also add a description for the new group.
* If any organizational units have been defined for your directory, you can specify where you want the new group to be placed using the Add New Group To list. The default location is your directory&rsquo;s root point, or topmost entry.
{toc-zone}

{toc-zone}