Does CA Directory support nested groups?

Document ID : KB000054444
Last Modified Date : 14/02/2018
Show Technical Document Details

Description

Nested groups are a configuration where you have a static group being a member of a parent group entry. CA Directory does not support this method of defining groupmembership in this way. However CA Directory does have the capability of definingdynamic groups. The LDAP search filter within the dynamic group entry can be constructed to support multiple "groups" of users. This techdoc explains how dynamic groups can be implemented.

Solution:

In this scenario, the business requirement is for the directory administrator to configure a dynamic group that assigns all users under the subtree of "o=Democorp1,c=au" that have a "businessCategory" attribute value of "A" or "B" to the dynamic group called "Administrators".

Previously, the entries that have a businessCategory of "A" or "B" would be stored in separate static groups, but due to the fact that they need to be assigned with the same level of access, they can be incorporated into the same dynamic group.

The pre-requisite for this scenario is for each user entry to already contain a distinguishing attribute value that can be used to either include him/her in the dynamic group, or conversely, exclude him/her from the group.

The entries in the DIT structure that have a businessCategory of "A" or "B" are:

dn: cn=Dominic MAJOR,ou=Administration,ou=Corporate,o=DEMOCORP1,c=AU
objectClass: inetOrgPerson
businessCategory: B
cn: Dominic MAJOR
description: Word Processing
mail: Dominic.MAJOR@DEMOCORP1.com
postalAddress: 13-15 Desailly Cres$Melbourne VIC
postalCode: 3000
sn: MAJOR
title: Software Manager
dn: cn=Craig LINK,ou=Administration,ou=Corporate,o=DEMOCORP1,c=AU
objectClass: inetOrgPerson
businessCategory: A
cn: Craig LINK
description: Product Distribution
mail: Craig.LINK@DEMOCORP1.com
postalAddress: 83 Venton Road$Hobart TAS
postalCode: 7000
sn: LINK
telephoneNumber: 544 3697
title: Group Secretary

In order to configure CA Directory to have a dynamic group that matches the requirements, the following steps need to be performed.

  1. Add the following configuration item to the DSA's settings file:
     clear dynamic-group;                                 # This clears any pre-existing dynamic group configuration set dynamic-group ADMINISTRATORS = {      object-class = dxDynamicGroupofUniqueNames      url-attr = dxMemberURL      member-attr = uniqueMember };
    The dynamic group rule above configures a dynamic group definition with a label of "Administrators"
    Note: The url-attr must be a MUST or MAY contain attribute of the object class. The url-attr must have a string syntax.
    Note: The member-attr must have a distinguishedName syntax.

  2. Add an entry into your DIT that contains the objectclasses of "groupOfUniqueNames" and "dxDynamicGroupofUniqueNames".

    dn: cn=Administrators,ou=groups,o=democorp1,c=AUobjectClass: dxDynamicGroupofUniqueNamesobjectClass: groupOfUniqueNamesobjectClass: topdxMemberURL: ldap:///o=democorp1,c=au??sub?(|(businessCategory=A)(businessCategory=B))
    In the "dxMemberURL" attribute, define an LDAP search filter that conforms to RFC2255, and has the valid subtree, scope and LDAP search filter defined.

  3. Once the group is added and the dynamic group configuration rule has been defined, stop and start the DSA.

  4. When the DSA is restarted, perform a base-object search of the dynamic group itself to display the dynamically populated entry:
    Here is an LDIF representation of the dynamic group entry.

    dn: cn=Administrators,ou=Groups,o=democorp1,c=AUobjectClass: dxDynamicGroupofUniqueNamesobjectClass: groupOfUniqueNamesobjectClass: topcn: AdministratorsdxMemberURL: ldap:///o=democorp1,c=au??sub?(|(businessCategory=A)(businessCategory=B))uniqueMember: cn=Craig LINK,ou=Administration,ou=Corporate,o=DEMOCORP1,c=AUuniqueMember: cn=Dominic MAJOR,ou=Administration,ou=Corporate,o=DEMOCORP1,c=AU          
  5. In order to confirm that your dynamic group search is being performed correctly, trace the DSA using the"set trace=all;" debug trace command prior to performing the base-object search. The trace below should be what you see (some of the trace has been removed to aid reading.)

    UserRetrieveDynamicGroups,
    performing dynamic group search with URL LDAP:///O=DEMOCORP,C=AU??SUB?(|(BUSINESSCATEGORY=A)
    (BUSINESSCATEGORY=B))
    <- #0 CONSOLE SEARCH-REQ
    invoke-id = 45 credit = 0
    Base object:
    <countryName "AU">
    <organizationName "DEMOCORP1">
    Search subset: Whole subtree
    Filter:
    or {
    businessCategory = "A"
    businessCategory = "B"

    }
    Don't Search Aliases
    Attributes to return: (none)
    flags = IDU_FLAGS_NO_AC
    flags = IDU_FLAGS_DYNAMIC_GROUPS
    ----------UserRequest (000/045)----------20090310.150738.680 userRequest UserCreateOp(000/045) opList.lnk_cnt=2 authClass is 0 (assoc 0) ForwardOrPerform
    RemoteGetTargetDsa
    Candidate is: test
    getCandidateDsa: local operation
    Candidate DSA is: test
    UserLocalRequest
    UserProcessDynamicGroup

    <- CONSOLE SEARCH-CONFIRM 
    invoke-id = 45 credit = 0
    Entry:
    <countryName "AU">
    <organizationName "DEMOCORP1">
    <organizationalUnitName "Corporate">
    <organizationalUnitName "Administration">
    <commonName "Craig LINK">

    Contents: (none)

    Entry:
    <countryName "AU">
    <organizationName "DEMOCORP1">
    <organizationalUnitName "Corporate">
    <organizationalUnitName "Administration">
    <commonName "Dominic MAJOR">

    Contents: (none)
    UserFreeOp(000/045)
    ----------userSendIdu (000/045)----------20090310.150738.696

    -> #0 LDAP SEARCH-CONFIRM 
    invoke-id = 45 credit = 1
    Entry:
    <countryName "AU">
    <organizationName "acmeOrg">
    <organizationalUnitName "Groups">
    <commonName "test">

    Contents:
    (commonName "test")
    (objectClass dxDynamicGroupofUniqueNames, groupOfUniqueNames, top)
    (dxMemberURL " ldap:///o=democorp1,c=au??sub?(|(businessCategory=A)(businessCategory=B ))")
    (uniqueMember
    <countryName "AU">
    <organizationName "DEMOCORP1">
    <organizationalUnitName "Corporate">
    <organizationalUnitName "Administration">
    <commonName "Craig LINK">


    , <countryName "AU"> <organizationName "DEMOCORP1"> <organizationalUnitName "Corporate"> <organizationalUnitName "Administration"> <commonName "Dominic MAJOR">
    )
    --> LDAP MESSAGE messageID 45
    SearchResultEntry
    objectName: cn=Administrators,ou=Groups,o=Democorp1,c=AU
    attributes
    type: cn
    value: Administrators
    type: objectClass
    value: dxDynamicGroupofUniqueNames
    value: groupOfUniqueNames
    value: top
    type: dxMemberURL
    value:ldap:///o=democorp1,c=au??sub?(|(businessCategory=A)(businessCategory=B )) type: uniqueMember
    value: cn=Craig LINK,ou=Administration,ou=Corporate,o=DEMOCORP1,c=AU
    value: cn=Dominic MAJOR,ou=Administration,ou=Corporate,o=DEMOCORP1,c=AU