Does CA Directory support nested groups?
search cancel

Does CA Directory support nested groups?


Article ID: 54444


Updated On:


CA Directory CA Security Command Center CA Data Protection (DataMinder) CA User Activity Reporting



Nested groups are a configuration where you have a static group being a member of a parent group entry. CA Directory does not support this method of defining groupmembership in this way. However CA Directory does have the capability of definingdynamic groups. The LDAP search filter within the dynamic group entry can be constructed to support multiple "groups" of users. This techdoc explains how dynamic groups can be implemented.


In this scenario, the business requirement is for the directory administrator to configure a dynamic group that assigns all users under the subtree of "o=Democorp1,c=au" that have a "businessCategory" attribute value of "A" or "B" to the dynamic group called "Administrators".

Previously, the entries that have a businessCategory of "A" or "B" would be stored in separate static groups, but due to the fact that they need to be assigned with the same level of access, they can be incorporated into the same dynamic group.

The pre-requisite for this scenario is for each user entry to already contain a distinguishing attribute value that can be used to either include him/her in the dynamic group, or conversely, exclude him/her from the group.

The entries in the DIT structure that have a businessCategory of "A" or "B" are:

dn: cn=Dominic MAJOR,ou=Administration,ou=Corporate,o=DEMOCORP1,c=AU
objectClass: inetOrgPerson
businessCategory: B
cn: Dominic MAJOR
description: Word Processing
mail: Dominic.[email protected]
postalAddress: 13-15 Desailly Cres$Melbourne VIC
postalCode: 3000
title: Software Manager
dn: cn=Craig LINK,ou=Administration,ou=Corporate,o=DEMOCORP1,c=AU
objectClass: inetOrgPerson
businessCategory: A
cn: Craig LINK
description: Product Distribution
mail: [email protected]
postalAddress: 83 Venton Road$Hobart TAS
postalCode: 7000
sn: LINK
telephoneNumber: 544 3697
title: Group Secretary

In order to configure CA Directory to have a dynamic group that matches the requirements, the following steps need to be performed.

  1. Add the following configuration item to the DSA's settings file:
     clear dynamic-group;                                 # This clears any pre-existing dynamic group configuration set dynamic-group ADMINISTRATORS = {      object-class = dxDynamicGroupofUniqueNames      url-attr = dxMemberURL      member-attr = uniqueMember };
    The dynamic group rule above configures a dynamic group definition with a label of "Administrators"
    Note: The url-attr must be a MUST or MAY contain attribute of the object class. The url-attr must have a string syntax.
    Note: The member-attr must have a distinguishedName syntax.

  2. Add an entry into your DIT that contains the objectclasses of "groupOfUniqueNames" and "dxDynamicGroupofUniqueNames".

    dn: cn=Administrators,ou=groups,o=democorp1,c=AUobjectClass: dxDynamicGroupofUniqueNamesobjectClass: groupOfUniqueNamesobjectClass: topdxMemberURL: ldap:///o=democorp1,c=au??sub?(|(businessCategory=A)(businessCategory=B))
    In the "dxMemberURL" attribute, define an LDAP search filter that conforms to RFC2255, and has the valid subtree, scope and LDAP search filter defined.

  3. Once the group is added and the dynamic group configuration rule has been defined, stop and start the DSA.

  4. When the DSA is restarted, perform a base-object search of the dynamic group itself to display the dynamically populated entry:
    Here is an LDIF representation of the dynamic group entry.

    dn: cn=Administrators,ou=Groups,o=democorp1,c=AUobjectClass: dxDynamicGroupofUniqueNamesobjectClass: groupOfUniqueNamesobjectClass: topcn: AdministratorsdxMemberURL: ldap:///o=democorp1,c=au??sub?(|(businessCategory=A)(businessCategory=B))uniqueMember: cn=Craig LINK,ou=Administration,ou=Corporate,o=DEMOCORP1,c=AUuniqueMember: cn=Dominic MAJOR,ou=Administration,ou=Corporate,o=DEMOCORP1,c=AU          
  5. In order to confirm that your dynamic group search is being performed correctly, trace the DSA using the"set trace=all;" debug trace command prior to performing the base-object search. The trace below should be what you see (some of the trace has been removed to aid reading.)

    performing dynamic group search with URL LDAP:///O=DEMOCORP,C=AU??SUB?(|(BUSINESSCATEGORY=A)
    invoke-id = 45 credit = 0
    Base object:
    <countryName "AU">
    <organizationName "DEMOCORP1">
    Search subset: Whole subtree
    or {
    businessCategory = "A"
    businessCategory = "B"

    Don't Search Aliases
    Attributes to return: (none)
    flags = IDU_FLAGS_NO_AC
    ----------UserRequest (000/045)----------20090310.150738.680 userRequest UserCreateOp(000/045) opList.lnk_cnt=2 authClass is 0 (assoc 0) ForwardOrPerform
    Candidate is: test
    getCandidateDsa: local operation
    Candidate DSA is: test

    invoke-id = 45 credit = 0
    <countryName "AU">
    <organizationName "DEMOCORP1">
    <organizationalUnitName "Corporate">
    <organizationalUnitName "Administration">
    <commonName "Craig LINK">

    Contents: (none)

    <countryName "AU">
    <organizationName "DEMOCORP1">
    <organizationalUnitName "Corporate">
    <organizationalUnitName "Administration">
    <commonName "Dominic MAJOR">

    Contents: (none)
    ----------userSendIdu (000/045)----------20090310.150738.696

    invoke-id = 45 credit = 1
    <countryName "AU">
    <organizationName "acmeOrg">
    <organizationalUnitName "Groups">
    <commonName "test">

    (commonName "test")
    (objectClass dxDynamicGroupofUniqueNames, groupOfUniqueNames, top)
    (dxMemberURL " ldap:///o=democorp1,c=au??sub?(|(businessCategory=A)(businessCategory=B ))")
    <countryName "AU">
    <organizationName "DEMOCORP1">
    <organizationalUnitName "Corporate">
    <organizationalUnitName "Administration">
    <commonName "Craig LINK">

    , <countryName "AU"> <organizationName "DEMOCORP1"> <organizationalUnitName "Corporate"> <organizationalUnitName "Administration"> <commonName "Dominic MAJOR">
    --> LDAP MESSAGE messageID 45
    objectName: cn=Administrators,ou=Groups,o=Democorp1,c=AU
    type: cn
    value: Administrators
    type: objectClass
    value: dxDynamicGroupofUniqueNames
    value: groupOfUniqueNames
    value: top
    type: dxMemberURL
    value:ldap:///o=democorp1,c=au??sub?(|(businessCategory=A)(businessCategory=B )) type: uniqueMember
    value: cn=Craig LINK,ou=Administration,ou=Corporate,o=DEMOCORP1,c=AU
    value: cn=Dominic MAJOR,ou=Administration,ou=Corporate,o=DEMOCORP1,c=AU


Release: ESPDIR99000-8.1-Extended Support Plus-for CA Directory