r12.0 SP3: How is the "memberOf" functionality configured?

Document ID : KB000022359
Last Modified Date : 14/02/2018
Show Technical Document Details

Summary:

A new inclusion in r12.0 SP3 is the support for the "memberOf" functionality. This knowledge document explains how to configure and test the feature.

Instructions:

Configuring the MemberOf Functionality

The steps required to configure the "memberOf" functionality, are summarized as:

  1. Add the activation commands to the DSA's configuration
  2. Add the "nsroaming.dxc" and "sunone.dxc" schema to the DSA's configuration

Add the activation commands to the DSA's configuration

The following two commands need to be added to the settings file of the DSA.

     set memberof-user-containers = <c AU><o Democorp><ou Users>;
     set memberof-group-containers = <c AU><o Democorp><ou Groups>;

Please Note : The two DN's need to be the top level subtree's that contain your users and groups respectively. Remember, the DN's for the containers are in X.500 (top down) format.

Add the "nsroaming.dxc" and "sunone.dxc" schema to the DSA's configuration (NOTE: The sourcing order matters)

Add the schema configuration file "sunone.dxc" to the relevant DSA's schema group file. e.g. the default.dxg schema file would look like:

     # Computer Associates config/schema/default.dxg 
     # $Revision: 4.22 $         
     # Useful schema definitions.         
     # This is a read-only default configuration file. If you need to make changes,
     # copy this file and reference the new file from servers/<dsa>.dxi 
     #     
 
     source "x500.dxc";  
     source "cosine.dxc"; 
     source "umich.dxc";  
     source "inetop.dxc"; 
     source "dxserver.dxc";
source "nsroaming.dxc"; source "sunone.dxc"

Save the file after editing and run "dxsyntax" to ensure that there are no configuration errors as a result of the edit. If "dxsyntax" reports any errors, then start the DSA with the "-d" switch to find out what the errors are and fix the errors that are reported.

Testing the MemberOf Functionality

The steps required to test the "memberOf" functionality, are summarised as:

  1. Add a group entry
  2. Add a user entry to a group
  3. Removing a user from a group

Add a group entry

The group entry can be either groupOfNames or groupOfUniqueNames objectClasses.

Scenario Example:

groupOfNames entry: cn=Admins,ou=Groups,o=Democorp,c=AU

Add a user to a group

Adding the user's DN to the "member" attribute of the group entry triggers the "memberOf" functionality. This can be shown in the following debug trace.

Scenario Example:

User entry: cn=Craig LINK,ou=Administration,ou=Corporate,o=Democorp,c=AU

     > [136] <-- LDAP MESSAGE messageID 12 
     > [136] ModifyRequest 
     > [136]  object: cn=Admins,ou=Groups,o=Democorp,c=AU 
     > [136]  modification 
     > [136]   operation: add 
     > [136]   modification 
     > [136]    type: member 
     > [136]    value: cn=Craig LINK,ou=Administration,ou=Corporate,o=Democorp,c=AU 
     > [136] controls: 
     > [136]   controlType: 2.16.840.1.113730.3.4.2 
     > [136]   non-critical 
     > [136] 

The above trace shows the member value being added to the group entry.

     ! [136] memberOf: group update has triggered a memberOf update
     ! [136] memberOf: performGroupLookup
     ! [136] memberOf: Performing group lookup
     ! [136] 
     > [136] <- #0 CONSOLE SEARCH-REQ
     > [136]  invoke-id = 12   credit = 5
     > [136]     Base object:
     > [136]         <countryName "AU">
     > [136]         <organizationName "Democorp">
     > [136]         <organizationalUnitName "Groups">
     > [136]         <commonName "Admins">
     > [136]     Search subset: Base object only
     > [136]     Attributes to return:  (none)
     > [136]  flags = IDU_FLAGS_MEMBER_OF
 
     > [136] -> CONSOLE SEARCH-CONFIRM
     > [136]  invoke-id = 12   credit = 0
     > [136]     Entry: 1382 
     > [136]         <countryName "AU">
     > [136]         <organizationName "Democorp">
     > [136]         <organizationalUnitName "Groups">
     > [136]         <commonName "Admins">
     > [136]     Contents:  (none)
     > [136] 
     > [136] 

The above trace shows the "memberOf" functions being triggered and the DN of the group itself being determined. The group DN is utilized in the next internal directory operation.

     ! [136] memberOf: performMemberUpdates
     ! [136] 
     > [136] <- #0 CONSOLE MOD-ENTRY-REQ
     > [136]  invoke-id = 12   credit = 5
     > [136]     Entry:
     > [136]         <countryName "AU">
     > [136]         <organizationName "Democorp">
     > [136]         <organizationalUnitName "Corporate">
     > [136]         <organizationalUnitName "Administration">
     > [136]         <commonName "Craig LINK">
     > [136]     Add-values:  (memberOf 
     > [136]                 <countryName "AU">
     > [136]                 <organizationName "Democorp">
     > [136]                 <organizationalUnitName "Groups">
     > [136]                 <commonName "Admins">
     > [136] )
     > [136]  flags = IDU_FLAGS_NO_AC
     > [136]  flags = IDU_FLAGS_NO_SCHEMA
     > [136]  flags = IDU_FLAGS_MEMBER_OF
     > [136] 

The above trace shows the group DN being added to the users "memberOf" attribute.

     ! [136] memberOf: perform original update
     ! [136] UserLocalRequest    

Once the memberOf value has been added to the users entry, the original modification (user DN being added to the group entry) can be performed. This ensures that both the group and the user entry are consistent.

A search of the group entry after the modification confirms that the users DN exists in the "member" attribute:

     > [4] --> LDAP MESSAGE messageID 15
     > [4] SearchResultEntry
     > [4]  objectName: cn=Admins,ou=Groups,o=Democorp,c=AU
     > [4]  attributes
     > [4]   type: cn
     > [4]   value: Admins
     > [4]   type: objectClass
     > [4]   value: groupOfNames
     > [4]   value: top
     > [4]   type: member
     > [4]   value: cn=Craig LINK,ou=Administration,ou=Corporate,o=Democorp,c=AU

And a search of the users entry shows that the "memberOf" attribute has been updated:

     > [120] --> LDAP MESSAGE messageID 14
     > [120] SearchResultEntry
     > [120]  objectName: cn=Craig LINK,ou=Administration,ou=Corporate,o=Democorp,c=AU
     > [120]  attributes
     > [120]   type: objectClass
     > [120]   value: inetOrgPerson
     > [120]   type: cn
     > [120]   value: Craig LINK
     > [120]   type: memberOf
     > [120]   value: cn=Admins,ou=Groups,o=Democorp,c=AU

Remove a user from a group

Removing the users DN from the "member" attribute of the group entry triggers the "memberOf" functionality as well. This can be shown in the following debug trace.

     > [240] <-- LDAP MESSAGE messageID 38
     > [240] ModifyRequest
     > [240]  object: cn=Admins,ou=Groups,o=Democorp,c=AU
     > [240]  modification
     > [240]   operation: delete
     > [240]   modification
     > [240]    type: member
     > [240]    value: cn=Craig Link,ou=Users,o=Democorp,c=AU

The above operation shows the removal of "cn=Craig Link,ou=Users,o=Democorp,c=AU" from the "Admins" group.

     ! [240] memberOf: group update has triggered a memberOf update
     ! [240] memberOf: performGroupLookup
     ! [240] memberOf: Performing group lookup
     ! [240] 
     > [240] <- #1 CONSOLE SEARCH-REQ
     > [240]  invoke-id = 38   credit = 5
     > [240]     Base object:
     > [240]         <countryName "AU">
     > [240]         <organizationName "Democorp">
     > [240]         <organizationalUnitName "Groups">
     > [240]         <commonName "Admins">
     > [240]     Search subset: Base object only
     > [240]     Attributes to return:  (none)
     > [240]  flags = IDU_FLAGS_MEMBER_OF
 
     > [240] -> CONSOLE SEARCH-CONFIRM
     > [240]  invoke-id = 38   credit = 0
     > [240]     Entry: 9 
     > [240]         <countryName "AU">
     > [240]         <organizationName "Democorp">
     > [240]         <organizationalUnitName "Groups">
     > [240]         <commonName "Admins">
     > [240]     Contents:  (none)

The above trace shows the "memberOf" functions being triggered and the DN of the group itself being determined. The group DN is utilized in the next internal directory operation.

     > [240] <- #1 CONSOLE MOD-ENTRY-REQ 
     > [240] invoke-id = 38 credit = 5 
     > [240]    Entry: 
     > [240]        <countryName "AU"> 
     > [240]        <organizationName "Democorp"> 
     > [240]        <organizationalUnitName "Users"> 
     > [240]        <commonName "Craig Link"> 
     > [240]    Remove-values: (memberOf 
     > [240]                <countryName "AU"> 
     > [240]                <organizationName "Democorp"> 
     > [240]                <organizationalUnitName "Groups"> 
     > [240]                <commonName "Admins"> 
     > [240] ) 
     > [240] flags = IDU_FLAGS_NO_AC 
     > [240] flags = IDU_FLAGS_NO_SCHEMA 
     > [240] flags = IDU_FLAGS_MEMBER_OF

The above trace shows the group DN being removed from the users "memberOf" attribute.

     ! [240] memberOf: perform original update
     ! [240] UserLocalRequest

Once the memberOf value has been removed from the users entry, the original modification (user DN being removed from the group entry) can be performed. This ensures that both the group and the user entry are consistent.

A search of the group entry after the modification confirms that the users DN does not exist in the "member" attribute:

     > [188] --> LDAP MESSAGE messageID 39
     > [188] SearchResultEntry
     > [188]  objectName: cn=Admins,ou=Groups,o=Democorp,c=AU
     > [188]  attributes
     > [188]   type: cn
     > [188]   value: Admins
     > [188]   type: objectClass
     > [188]   value: groupOfNames

And a search of the users entry shows that the "memberOf" attribute has been updated:

     > [188] --> LDAP MESSAGE messageID 41
     > [188] SearchResultEntry
     > [188]  objectName: cn=Craig Link,ou=Users,o=Democorp,c=AU
     > [188]  attributes
     > [188]   type: cn
     > [188]   value: Craig Link
     > [188]   type: objectClass
     > [188]   value: inetOrgPerson
     > [188]   value: organizationalPerson
     > [188]   value: person
     > [188]   value: top
     > [188]   type: sn
     > [188]   value: test