How can I implement dynamic groups within CA Directory?
search cancel

How can I implement dynamic groups within CA Directory?

book

Article ID: 52661

calendar_today

Updated On:

Products

CA Directory CA Security Command Center CA Data Protection (DataMinder) CA User Activity Reporting

Issue/Introduction

Description:

This techdoc guides you through the process of configuring dynamic groups and creating a dynamic group entry in a CA Directory DIT. This techdoc uses both "groupOfURLs" and "dxDynamicGroupOfNames" objectClasses to illustrate the flexibility that is available.

Solution:

Here are two different dynamic group configurations that illustrate the simplicity of configuring and using dynamic groups. These are based upon the "Democorp" sample DSA's schema.

The first dynamic group is based on the groupOfURLs objectClass.

  1. Dynamic Groups configuration (add to $DXHOME/config/servers/democorp.dxi towards the end)

    clear dynamic-group;

    set dynamic-group group1= {
    objectclass = groupOfURLs
    url-attr = memberURL
    member-attr = seeAlso
    };

  2. Include the $DXHOME/config/schema/iplanet.dxc into the Democorp DSA's configuration. Resolve any duplications in schema or other schema issues that may result.

  3. Start the Democorp DSA

  4. Add the LDIF entries into the Democorp DIT:

    version: 1
    dn: ou=Groups,o=Democorp,c=AU
    objectClass: organizationalUnit
    objectClass: top
    ou: Groups

    dn: cn=group1,ou=Groups,o=Democorp,c=AU
    objectClass: groupOfURLs
    objectClass: top
    cn: group1
    memberURL: ldap:///o=Democorp,c=AU??sub?(title=* supervisor)

  5. When the group entry is evaluated, the candidate members are populated into the seeAlso attribute.

    The second example is using the out of the box groupOfNames and dxDynamicGroupOfNames OC's.

    1. Dynamic Groups configuration (add to $DXHOME/config/servers/democorp.dxi towards the end)

      clear dynamic-group;

      set dynamic-group group2= {
      objectclass = dxDynamicGroupOfNames
      url-attr = dxMemberURL
      member-attr = member
      };

    2. Start the Democorp DSA

    3. Add the LDIF entries into the Democorp DIT:

      version: 1
      dn: ou=Groups,o=Democorp,c=AU
      objectClass: organizationalUnit
      objectClass: top
      ou: Groups

      dn: cn=dxDyngroup,ou=Groups,o=Democorp,c=AU
      objectClass: dxDynamicGroupOfNames
      objectClass: groupOfNames
      objectClass: top
      cn: dxDyngroup
      dxMemberURL: ldap:///o=Democorp,c=AU??sub?(title=* supervisor)

    4. When the group entry is evaluated, the candidate members are populated into the member attribute.

Please note that when defining your dynamic group configuration entry, the member-URL attribute has to be of a string syntax (e.g. caseIgnoreString, directoryString, etc), and the member attribute has to be of a distinguishedName syntax (e.g. member).

Environment

Release:
Component: ETRDIR
Powered by Wolken Software