LDAP Group Sources
If you are using an LDAP group source to identify the candidate resources to include in the LDAP container, you will specify a group DN to identify the directory entry that is the group. When a group DN is specified, a member attribute is also specified, which holds the collection of member identifiers, that is, their DNs. This provides the list of candidate resources.
- LDAP Alias - The name (or alias) of the LDAP source from which candidate resources will be obtained.
- Group DN - The LDAP directory entry that is the group. For example, if the following LDAP directory identifies the group, the Group DN is "OU=CSR,OU=groups,O=insuranceServices":
- Member attribute - Identifies the attribute within the group entry that holds the collection of DNs that identify the candidate resources. The following example shows the attributes for the DN shown above:
In this example, "roleoccupant" would be the member attribute, as it provides the DN for each member of the group.
For more details about the parameters that can be specified when creating an LDAP container using an LDAP group, see Creating an LDAP Container using an LDAP Group.
Object Classes
All entries in an LDAP directory are of a particular object class, that is, their "objectClass". The objectClass defines what attributes the directory entry "must" have (required attributes), as well as the attributes it "may" have (optional attributes).
These common group-related object classes contain an attribute whose values identify members of the group. The member attributes for the common group-related object classes are "member", "uniqueMember", "memberURL", and "roleoccupant", respectively.
As you can see in the example above, the directory identified by the DN "OU=CSR,OU=groups,O=insuranceServices" is an objectClass of organizationalRole, and has two "roleoccupant" attributes that contain the DNs of the members of the group (CSRs in this example).
Static LDAP Groups
Static LDAP groups specify the DN of each member of the group in the member attribute. The example shown above is a static group.
Another example of a static LDAP group directory is the following:
DN: cn=Dev.Staff,ou=Austin,c=US objectclass: groupOfNames cn: Dev.Staff member: cn=John Doe,o=IBM,c=US member: cn=Jane Smith,o=IBM,c=US member: cn=James Smith,o=IBM,c=US
In this example, the group members are identified in the "member" attribute -- each attribute contains the DN of a member of the group.
Static LDAP groups can also be nested by specifying the DN of another group as a value of a member attribute. If any value within a member attribute identifies another group, the same named attribute of that group is used to augment the collection of group members. The resulting candidate resources consists of all nested group members.
The identification of nested groups is done using their objectClass; comparing the objectClasses named in the Directory Engine configuration (for information, see "Directory Engine Configuration" in the TIBCO BPM Enterprise Administration guide).
The known group objectClasses, groupOfNames and groupOfUniqueNames, are applied by default. Those member entries that are of any of the named objectClasses are considered to be nested groups.
Dynamic LDAP Groups
Dynamic groups specify one or more URL search filters (queries). All entries that match the URL search filters are members of the group. Membership of a dynamic group is defined each time the filters are evaluated.
Dynamic groups use one of the following object classes and attribute pairs:
The memberURL attribute and the uniqueMember attributes specify one or more URL search filters. An example is:
dn: cn=GROUP1,ou=Austin objectclass: groupOfURLs cn: GROUP1 memberURL: ldap:///cn=users,ou=Austin??one?(group=GROUP1)