LDAP Group Sources
If you are using an LDAP group source to identify the candidate resources to include in the LDAP container, you will specify a group DN to identify the directory entry that is the group. When a group DN is specified, a member attribute is also specified, which holds the collection of member identifiers, that is, their DNs. This provides the list of candidate resources.
- ldap-alias - The name (or alias) of the LDAP source from which candidate resources will be obtained.
- group-dn - The LDAP directory entry that is the group. If the following LDAP directory identifies the group, the group-DN is "OU=CSR,OU=groups,O=insuranceServices":
- member-attribute - Identifies the attribute within the group entry that holds the collection of DNs that identifies the candidate resources. The following example shows the attributes for the DN shown above:
In this example, "roleoccupant" would be the member-attribute, as it provides the DN for each member of the group.
Object Classes
All entries in an LDAP directory are of a particular object class, that is, their "objectClass". The objectClass defines what attributes the directory entry "must" have (required attributes), as well as the attributes it "may" have (optional attributes).
These common group-related object classes contain an attribute whose values identify members of the group. The member attributes for the common group-related object classes are "member", "uniqueMember", "memberURL", and "roleoccupant", respectively.
As you can see in the example above, the directory identified by the DN "OU=CSR,OU=groups,O=insuranceServices" is an objectClass of organizationalRole, and has two "roleoccupant" attributes that contain the DNs of the members of the group (CSRs in this example).
The object classes listed above are supported by default. If an objectClass other than these are going to be used, you must specify the objectClass in the LdapGroupClass property in the DE.Properties file. The LdapGroupClass property is not included in the DE.Properties file by default. (The DE.Properties file contains properties for the Directory Engine. For more information see the TIBCO ActiveMatrix BPM Administration Guide. )
Static LDAP Groups
Static LDAP groups specify the DN of each member of the group in the member attribute. The example shown above is a static group.
Another example of a static LDAP group directory is the following:
DN: cn=Dev.Staff,ou=Austin,c=US objectclass: groupOfNames cn: Dev.Staff member: cn=John Doe,o=IBM,c=US member: cn=Jane Smith,o=IBM,c=US member: cn=James Smith,o=IBM,c=US
In this example, the group members are identified in the "member" attribute -- each attribute contains the DN of a member of the group.
Static LDAP groups can also be nested by specifying the DN of another group as a value of a member attribute. If any value within a member attribute identifies another group, the same named attribute of that group is used to augment the collection of group members. The resulting candidate resources consists of all nested group members.
The identification of nested groups is done using their objectClass; comparing the objectClasses named in the DE.Properties file. The known group objectClasses, groupOfNames and groupOfUniqueNames, are applied by default. Those member entries that are of any of the named objectClasses are considered to be nested groups.
Dynamic LDAP Groups
Dynamic groups specify one or more URL search filters (queries). All entries that match the URL search filters are members of the group. Membership of a dynamic group is defined each time the filters are evaluated.
Dynamic groups use one of the following object classes and attribute pairs:
The memberURL attribute and the uniqueMember attributes specify one or more URL search filters. An example is:
dn: cn=GROUP1,ou=Austin objectclass: groupOfURLs cn: GROUP1 memberURL: ldap:///cn=users,ou=Austin??one?(group=GROUP1)