LDAP Dynamic Groups

Similar Messages

• How to retrieve members of  ldap dynamic groups?

  Hi,
  Can any one provide me the java-code snippet for listing the members(users) of a LDAP-dynamic group?
  Regards.

  How is this different from [your previous question|http://forums.sun.com/thread.jspa?threadID=5434523&messageID=10965220#10965220]? If it is the same queston, then please stay in the same thread.

• Using Dynamic Groups in Ldap for Accounts and Roles

  Does anyone currently use dynamic groups in LDAP for accounts and roles? I have set up a dynamic group in ldap (we are using OID Oracle internet Directory 10.1.2.0) , ldapsearch returns the correct list of unique names, but the account does not appear on my profile page when I log in to UCM (10.1.3). I cannot find any documentation so I'm asking myself if it is supported .....

  Thanks tim ... will check, but Oracle are saying :
  Oracle Universal Content Management - Version: 7.5.1
  Information in this document applies to any platform.
  Product: Content Server
  Version: 6.0
  Goal
  Can the Content Server's LDAP provider support, or can it be configured to support, dynamic LDAP groups?
  Solution
  The Content Server by itself is unable to process dynamic LDAP groups since the filter that is used cannot read dynamic groups. However, dynamic groups can still work in the Content Server if the permissions for the queried user are generated on the LDAP server side. For example: Novell and Active Directory both have this functionality.
  to which I have replied you suport 3rd party ldaps, but not your own? Shurely shome mishtake ..... if ldap search works in a seamless way, surely provider should too ....
  Billy, you may well be right, just got a cashflow problem over here !

• Identity Service LDAP with dynamic grouping

  Hi all,
  We are developing an enterprise application with oc4j and bpel.
  First we managed to handle user management with XML based JAZN tool.
  After that,we managed to connect identity service with iPlanet LDAP server and get users and roles(with static groups defined.)
  But our client wanted static and dynamic groups together in their LDAP server,because of the complexity of their current user base.
  When we try this,we cannot get the roles that are assigned with dynamic groups.But we can get the roles that are statically defined.
  We check the roles from the worklist application (integration/worklistapp... thing..) and we se the static groups where we cannot see dynamic one's.
  There is a section in is_config.xml like:
  <roleControls>
  <property name="nameattribute" value="cn"/>
  <property name="objectclass" value="groupOfUniqueNames"/>
  <property name="membershipsearchscope" value="onelevel"/>
  <property name="memberattribute" value="uniquemember"/>
  <search searchbase="ou=Groups,dc=dummy,dc=com,dc=tr" scope="onelevel" maxSizeLimit="1000" maxTimeLimit="120"/>
  </roleControls>
  I think the property uniquemember has an effect in this situation but I cannot find any sample configurations using dynamic groups in LDAP.
  Hope somebody has already done that..

  I find a solution here:
  http://download.oracle.com/docs/cd/E15523_01/integration.1111/e10226/hwf_config.htm
  I am currently using weblogic's defaultAuthentication to test BPM 11g.
  I do not know if this approach works in production environment.

• Dynamic Groups in LDAP and Calendar

  Folks,
  I have defined a dynamic group in LDAP. I would like for that group to be invited to an event. When I add an event and search I find the group. When I check the group and click 'OK' it doesn't show the group as invited. When I search again, it says the group is included but no one is invited.
  Also, how do I protect a group from being used by anybody???
  keith

  Thanks tim ... will check, but Oracle are saying :
  Oracle Universal Content Management - Version: 7.5.1
  Information in this document applies to any platform.
  Product: Content Server
  Version: 6.0
  Goal
  Can the Content Server's LDAP provider support, or can it be configured to support, dynamic LDAP groups?
  Solution
  The Content Server by itself is unable to process dynamic LDAP groups since the filter that is used cannot read dynamic groups. However, dynamic groups can still work in the Content Server if the permissions for the queried user are generated on the LDAP server side. For example: Novell and Active Directory both have this functionality.
  to which I have replied you suport 3rd party ldaps, but not your own? Shurely shome mishtake ..... if ldap search works in a seamless way, surely provider should too ....
  Billy, you may well be right, just got a cashflow problem over here !

• LDAP- large dynamic groups - performance

  A dynamic group is to a static group what a view is to a table
  A group is to its members what a table or view is to its records.
  When the memebrs of a dynamic group is very large are there any performance problems or is that eliminatable by some indexing means?

  Just an FYI ...
  I found out from iPlanet that this is a bug in SP3 and will be fixed in SP4.
  In the meantime, you can call tech support and get a patch.
  Matt
  "Matt Raible" <[email protected]> wrote in message
  news:9nldgs$[email protected]..
  I discovered today that the dynamic group does not seem to work for
  form-based authentication with iPlanet App Server. I have a group,
  Employees, in my LDAP server, and it has a dynamic group configured as
  ldap:///o=douglas.co.us??sub?dcRoles=ttEmployee, where each user has a
  custom attribute, dcRoles. I can test this dynamic group and expectedusers
  are found.
  However, I cannot authenticate with a user in this group when "Employees"is
  my configured role to authenticate with.
  If I open the group Employees in my LDAP Server, and under the Members,
  Static Group tab - I add a user, I can authenticate with them.
  I also tried adding "ttEmployee" as well as "Employee" to my deployment
  descriptors - but no luck. The method of adding a user (above) is the only
  way I found to work.
  Can someone shed some light on this?
  Thanks,
  Matt

• DIP fails loading dynamic groups into OID

  Hello,
  we're trying to load groups from OeBS into OID and associate them via dynamic groups feature with user records that was loaded earlier as follows:
  personid=18630,cn=dev,cn=hrsyncusers,cn=users,dc=ic,dc=lan
  orcltimezone=Asia/Yekaterinburg
  displayname=NOT ASCII
  employeetype=NOT ASCII
  givenname=NOT ASCII
  postalcode=628484
  orcldateofbirth=19610404000000
  orclgender=F
  departmentnumber=342
  uid=18630
  mail=HRNULL
  cn=NOT ASCII
  initials=NOT ASCII
  street=NOT ASCII
  employeenumber=4824
  middlename=NOT ASCII
  l=NOT ASCII
  orclhiredate=20051107000000
  sn=NOT ASCII
  personid=18630
  c=Russia
  title=NOT ASCII
  objectclass=inetorgperson
  objectclass=person
  objectclass=organizationalperson
  objectclass=orcluserv2
  objectclass=kapitalperson
  objectclass=country
  objectclass=residentialperson
  objectclass=locality
  objectclass=top
  Among other attributes each user entity has 'departmentNumber' that indicates number of his/her department.
  Now trying to load list of departments as dynamic groups with the following config
  files:
  *** DevHRAgentGroups.cfg ***
  [SELECT]
  SELECT psv.version_number
  , pos.name hierarchyname
  , hou.organization_id depno
  , poe.organization_id_parent parent_id
  , REPLACE(hou2.name, '"') parentname
  , poe.organization_id_child child_id
  , REPLACE(hou.name, '"') orgname
  , ldap://idm01.ic.lan:389/cn=DEV,cn=HRSyncUsers,cn=Users,dc=ic,dc=lan??sub?(depar
  tmentnumber='||hou.organization_id||')' ldapuri
  , hrl.meaning org_type
  FROM per_organization_structures pos
  , per_org_structure_versions psv
  , per_org_structure_elements poe
  , hr_all_organization_units hou
  , hr_all_organization_units hou2
  , hr_lookups hrl
  WHERE pos.business_group_id = psv.business_group_id
  AND pos.organization_structure_id = psv.organization_structure_id
  AND pos.primary_structure_flag = 'Y'
  AND psv.date_to IS NULL
  AND poe.org_structure_version_id = psv.org_structure_version_id
  AND poe.business_group_id = hou.business_group_id
  AND poe.organization_id_child = hou.organization_id
  AND poe.business_group_id = hou2.business_group_id
  AND poe.organization_id_parent = hou2.organization_id
  AND hrl.lookup_code = hou.type
  AND hrl.enabled_flag = 'Y'
  AND hrl.lookup_type = 'ORG_TYPE'
  AND hrl.lookup_code NOT IN (30,40)
  AND TRUNC(SYSDATE) BETWEEN hou.date_from AND NVL(hou.date_to, TO_DATE('31.12.4712','dd.mm.yyyy'))
  AND hou.last_update_date >= to_date(:BINDVAR,'YYYYMMDDHH24MISS')
  *** DevHRAgentGroups.map ***
  DomainRules
  NONLDAP:cn=DEV,cn=HRSyncGroups,cn=Groups,dc=ic,dc=lan:departmentID=%,cn=DEV,cn=HRSyncGroups,cn=Groups,dc=ic,dc=lan
  AttributeRules
  orgname:1: : :cn: :groupOfUniqueNames
  depno:1: : :departmentID: :kapitalDepartment
  ldapuri: : : :labeledURI: :orclDynamicGroup
  We're getting the following error in ?/ldap/odi/log/DevHRAgentGroups.trc during HRAgent execution at mapping phase:
  Normalized DN : departmentid=82,cn=dev,cn=hrsyncgroups,cn=groups,dc=ic,dc=lan
  Changetype is 5
  Processing modifyRadd Operation ..
  Entry Not Found. Converting to an ADD op..
  Processing Insert Operation ..
  Performing createEntry..
  Exception creating Entry : javax.naming.NamingException: [LDAP: error code 1 - Dynamic group cache update failed.]; remaining name 'departmentid=82,cn=dev,cn=
  hrsyncgroups,cn=groups,dc=ic,dc=lan'
  [LDAP: error code 1 - Dynamic group cache update failed.]
  javax.naming.NamingException: [LDAP: error code 1 - Dynamic group cache update failed.]; remaining name 'departmentid=82,cn=dev,cn=hrsyncgroups,cn=groups,dc=i
  c,dc=lan'
  at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3028)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)
  at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:777)
  at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:319)
  at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:248)
  at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:236)
  at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:176)
  at oracle.ldap.odip.gsi.LDAPWriter.createEntry(LDAPWriter.java:1162)
  at oracle.ldap.odip.gsi.LDAPWriter.insert(LDAPWriter.java:425)
  at oracle.ldap.odip.gsi.LDAPWriter.modifyRadd(LDAPWriter.java:822)
  at oracle.ldap.odip.gsi.LDAPWriter.writeChanges(LDAPWriter.java:349)
  at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:655)
  at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:376)
  at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:237)
  DIP_LDAPWRITER_ERROR_CREATE
  Error in executing mapping DIP_LDAPWRITER_ERROR_CREATE
  DIP_LDAPWRITER_ERROR_CREATE
  Please, note. Loading is successful if we commenting out mapping line for labeledURI attribute (that's loading static groups).
  Loading is also successful when labeledURI is mapped to
  'ldap://idm01.ic.lan:389/cn=DEV,cn=HRSyncUsers,cn=Users,dc=ic,dc=lan??sub?(objec
  tclass=person)' but this definetly is not what we are going to get.
  I don't have ideas what's wrong for example with the following generated 'labeledURI' attribute:
  ldap://idm01.ic.lan:389/cn=DEV,cn=HRSyncUsers,cn=Users,dc=ic,dc=lan??sub?(departmentnumber=82)
  Any help is appreciated
  Thanks,
  Edward

  Hi Frank,
  there is something wrong with departmentnumber attribute of user records. Searching users with ldapsearch using "departmentnumber=*" filter fails with the following error:
  ldap_search: DSA is unwilling to perform
  ldap_search: additional info: Function Not Implemented
  I think this is probably the cause of failing creation of dynamic groups.
  Searching on other user attributes (cn, uid, employyenumber) works fine.
  Still don't understand what's wrong with this particular attribute.

• ZCM 11.2.3a dynamic groups summery incorrect

  Hi there
  When creating a dynamic group for Agent version = 10.3.1.34138 (example)
  I click the preview and it shows me 20 members.
  Going to each of those devices in the preview list shows me the correct agent version as per the filter. (10.3.1.34138)
  However after applying and looking at the "members displayed in the Summary" tab, it shows 5000 odd members.
  I have tried this with a few dynamic groups and changed the agent version.
  I know it will only show the first 200 in the preview tab, but even when there are a few (50 members),
  after applying or resetting and looking at the Summary, a completely different no is displayed.
  Any ideas. - Don't recall having this with ZCM 11.2 We are on 11.2.3a at the moment.
  Thanks
  Mark

  Originally Posted by markvh
  Hi there
  When creating a dynamic group for Agent version = 10.3.1.34138 (example)
  I click the preview and it shows me 20 members.
  Going to each of those devices in the preview list shows me the correct agent version as per the filter. (10.3.1.34138)
  However after applying and looking at the "members displayed in the Summary" tab, it shows 5000 odd members.
  I have tried this with a few dynamic groups and changed the agent version.
  I know it will only show the first 200 in the preview tab, but even when there are a few (50 members),
  after applying or resetting and looking at the Summary, a completely different no is displayed.
  Any ideas. - Don't recall having this with ZCM 11.2 We are on 11.2.3a at the moment.
  Thanks
  Mark
  I don't believe the display results are always in order, it's kinda like LDAP where it returns the first X that it finds, so the results may be different every time. (the preview portion).
  At least that's what it does here (the group total is correct, but the preview/display is not in order alphabetically or anything and randomly changes)

• ACI and dynamic groups

  I can't seem to get dynamic groups working. Here's my dynamic group setup:
  ldapsearch -D "cn=directory manager" -w "passwd01" -b "ou=internal,dc=example,dc=com" "objectclass=groupOfUrls"
  version: 1
  dn: cn=istest,ou=Groups,ou=internal,dc=example,dc=com
  cn: istest
  objectClass: top
  objectClass: groupOfUrls
  ou: Groups
  memberURL: ldap:///ou=people,ou=internal,dc=example,dc=com??sub?(uid=user1)
  I know for sure user1 exists:
  ldapsearch -D "cn=directory manager" -w "passwd01" -b "ou=internal,dc=example,dc=com" "uid=user1"
  version: 1
  dn: uid=user1,ou=people,ou=internal,dc=example,dc=com
  objectClass: shadowAccount
  objectClass: posixAccount
  objectClass: account
  objectClass: top
  loginShell: /bin/bash
  uidNumber: 3000
  homeDirectory: /home/user1
  gecos: User1
  cn: User1
  gidNumber: 500
  uid: user1
  When I run a search, I get nothing:
  ldapsearch -D "cn=Directory Manager" -w passwd01 -b "ou=internal,dc=example,dc=com" "(isMemberOf=cn=istest,ou=Groups,ou=internal,dc=example,dc=com)"
  Directory Server version: 6.3
  Using /usr/bin/ldapsearch on solaris 10.
  My main objective so to use dynamic groups to setup some ACI. eg: allow user w/ attribute gidNumber=400 full read/write.
  mike

  ismemberof only works for static groups.
  My main objective so to use dynamic groups to setup some ACI.
  eg: allow user w/ attribute gidNumber=400 full read/write.Have you considered using filtered roles ?

• Posix dynamic groups

  Hi,
  Despite that subject was touched numerous times I still don't quite get how to make dynamic groups posix compliant.
  Solaris native ldap client will only see a group entry if:
  1) a user has a "gidNumber" attribute (single-valued),
  2) a group has "memberUid" for him (static)
  I'd really like to know how to make groups with "memberURL" entry only real posix groups.

  Groups can be nested. Use the attribute uniquemember in the objectclass groupofuniquenames. uniquemember's value is then the dn of another Group.
  Regards,
  Ingo

• Trouble with ACIs and dynamic groups

  Hi!
  Does Dirctory Server stop searching for subgroups after evaluating a dynamic group?
  Example:
  A User "uid=A,o=company" is member of a dynamic group "cn=dyn,o=company" via memberURL: "ldap:///o=company??sub?(uid=A)".
  The dynamic group "cn=dyn,o=company" is member of a static group "cn=stat,o=company" via uniquemember: "cn=dyn,o=company".
  If I grant any permission using an ACI with (groupdn = "ldap:///cn=stat,o=company") user A gets that permission.
  BUT
  A User "uid=B,o=company" is member of a static group "cn=static,o=company" via uniquemember: "uid=B,o=company".
  The static group "cn=static,o=company" is member of a dynamic group "cn=dynamic,o=company" via memberURL: "ldap:///o=company??sub?(cn=static)".
  If I grant any permission using an ACI with (groupdn = "ldap:///cn=dynamic,o=company") user B does not get the permission.
  Has anyone any suggestions?

  Hi!
  Does Dirctory Server stop searching for subgroups after evaluating a dynamic group?
  Example:
  A User "uid=A,o=company" is member of a dynamic group "cn=dyn,o=company" via memberURL: "ldap:///o=company??sub?(uid=A)".
  The dynamic group "cn=dyn,o=company" is member of a static group "cn=stat,o=company" via uniquemember: "cn=dyn,o=company".
  If I grant any permission using an ACI with (groupdn = "ldap:///cn=stat,o=company") user A gets that permission.
  BUT
  A User "uid=B,o=company" is member of a static group "cn=static,o=company" via uniquemember: "uid=B,o=company".
  The static group "cn=static,o=company" is member of a dynamic group "cn=dynamic,o=company" via memberURL: "ldap:///o=company??sub?(cn=static)".
  If I grant any permission using an ACI with (groupdn = "ldap:///cn=dynamic,o=company") user B does not get the permission.
  Has anyone any suggestions?

• OAM 10g - obmygroups and nested dynamic groups

  I've run into an issue with the obmygroups header action in OAM 10g, and I'm not sure whether this is by design or not.
  The obmygroups will return static and dynamic group names for which the user is a member, and it will return static groups that contain nested static groups where the user is a member of the nested group. However, it doesn't seem to static groups with nested dynamic groups where the user is a member of the nested dynamic group.
  Is that by design? Is there any way to nest dynamic groups so that obmygroups will return the parent group name? I'd like to have a group that contains both nested static and nested dynamic groups, and have the obmygroups action return the name of the parent group.
  Thanks,
  Matt

  Return Attribute Action in authentication or authorization rules
  obmygroups:<ldap_url> special attribute returns those groups to which the user belongs that also satisfy the criteria <ldap_url> filter specifies.
  EX: "obmygroups:ldap:///cn=Groups,dc=myorg,dc=com??sub(group_type=role) returns all the groups in cn=Groups,dc=myorg,dc=com tree for which the logged-in user is a member and the group_type is role.
  For more information check OAM Access Administration Guide

• Dynamic Group Integration

  I'm trying to use the weblogic.security.ldaprealmv2.LDAPRealm class that comes with
  Weblogic Version 6.0. along with iPlanet Direcory Server. Below is a copy of my
  configuration data:
  user.filter=(&(uid=%u)(objectclass=person))
  user.dn=ou=people,dc=directv,dc=com
  membership.filter=(&(uniquemember=%M)(objectclass=groupofuniquenames))
  server.principal=uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
  group.filter=(&(cn=%g)(objectclass=groupofuniquenames))
  group.dn=ou=groups,dc=directv,dc=com
  server.host=127.0.0.1
  My issue is that the group is dynamiccaly defined, so the attribute uniquemember
  is not defined and memberurl is. The memberurl is a ldap query defining all the
  groups/people that are in the group.
  My question is; Can I modify the membership.filter to pickup the memberurl. My guess
  is yes, but then how does Weblogic get the unique members from that?
  Do I need to write a custum realm?

  Hi Mark,
  Netscape dynamic groups do not work with WebLogic's LDAP realm in WLS 6.x or lower. (Not
  sure about 7.0)
  You could definitely write your own custom realm to handle dynamic groups
  Cheers
  Joe Jerry
  Mark Celano wrote:
  I'm trying to use the weblogic.security.ldaprealmv2.LDAPRealm class that comes with
  Weblogic Version 6.0. along with iPlanet Direcory Server. Below is a copy of my
  configuration data:
  user.filter=(&(uid=%u)(objectclass=person))
  user.dn=ou=people,dc=directv,dc=com
  membership.filter=(&(uniquemember=%M)(objectclass=groupofuniquenames))
  server.principal=uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
  group.filter=(&(cn=%g)(objectclass=groupofuniquenames))
  group.dn=ou=groups,dc=directv,dc=com
  server.host=127.0.0.1
  My issue is that the group is dynamiccaly defined, so the attribute uniquemember
  is not defined and memberurl is. The memberurl is a ldap query defining all the
  groups/people that are in the group.
  My question is; Can I modify the membership.filter to pickup the memberurl. My guess
  is yes, but then how does Weblogic get the unique members from that?
  Do I need to write a custum realm?

• Dynamic group not working

  Hi,
  I'm trying to get a dynamic group working with the oracle directory server enterprise edition 11.1.1.5.0 .
  I've created a dynamic group like this:
  dn: cn=employees,ou=groups,dc=example,dc=com
  cn: employees
  objectclass: top
  objectclass: groupOfURLs
  ou: groups
  memberURL: ldap:///ou=people,dc=example,dc=com??sub?(uid=*)
  but when I check for the membership, I'm just getting the dn of the user with uid = "me", but nothing else.
  ldapsearch -h localhost -p 389 -D "cn=Directory Manager" -w password \
    -b dc=example,dc=com "(uid=me)" isMemberOf
  There was a similar question like that in the forum, but no useful answer.
  Does anyone know how dynamic groups work correctly?
  best regards, solst_ice

  Hi,
  Ismemberof is supported for static groups only in DSEE. Dynamic group are group definition that client apps can retrieve but there is no built-in membership evaluation in the core server.
  You might want to consider Oracle Unified DIrectory that support ismemberOf for static and dynamic groups
  See http://docs.oracle.com/cd/E37116_01/index.htm  and Managing Users and Groups - 11g Release 2 (11.1.2)
  Regards,
  -Sylvain

• Identity Sever Dynamic Group expansion

  I have few dynamic groups defined based on 'dynamic filter' (example:- ldap:///dc=abc,dc=com??sub?(myRole=Helpdesk)). All these group's have 'dynamic member only' attribute set to true.
  I always have to expand it manually from configuration to refresh the static users in this group. Is there a way to make this process automatic ? for example:- automatic expansion every 1hr?
  Thanks!
  Kabi

  There is no timing thread built into OAM - so you have to work this out outside of the product.
  I have, for example, used Quartz and an HTTP client library to 'click' the expand button on a regular schedule. You can also bring in the Access SDK if you need an ObSSOCookie to get to the Admin interface.
  Mark