Chapter 11. Organizing Entries with Groups, Roles, and Views

11.1. Using Groups
11.1.1. Creating Static Groups in the Console
11.1.2. Creating Dynamic Groups in the Console
11.1.3. Creating Groups in the Command Line
11.1.4. Using the memberOf Attribute to Manage Group Membership Information
11.2. Using Roles
11.2.1. About Roles
11.2.2. Creating a Managed Role
11.2.3. Creating a Filtered Role
11.2.4. Creating a Nested Role
11.2.5. Editing and Assigning Roles to an Entry
11.2.6. Viewing Roles for an Entry through the Command Line
11.2.7. Making a Role Inactive or Active
11.2.8. Viewing the Activation Status for Entries
11.2.9. About Deleting Roles
11.2.10. Using Roles Securely
11.3. Using Views
11.3.1. Creating Views in the Console
11.3.2. Creating Views from the Command Line
Entries contained within the directory can be grouped in different ways to simplify the management of user accounts. Red Hat Directory Server supports a variety of methods for grouping entries and sharing attributes between entries. To take full advantage of the features offered by roles and class of service, determine the directory topology when planning the directory deployment.

11.1. Using Groups

Groups are a mechanism for associating entries for ease of administration. Groups do not have the flexibility or utility of roles. However, there are certain clients and applications where groups are useful. Groups also offer compatibility with older LDAP clients and directory services.

NOTE

Managing groups is significantly easier by using the memberOf attribute to identify in user entries to what groups a user belongs. The memberOf attribute is maintained by the Directory Server and updated automatically on entries as group membership changes. See Section 11.1.4, “Using the memberOf Attribute to Manage Group Membership Information” for information on using the memberOf attribute.

11.1.1. Creating Static Groups in the Console

Static groups organize entries by specifying the same group value in the DN attribute of any number of users.

NOTE

If a user has an entry on a remote Directory Server (for example, in a chained database), different from the Directory Server which has the entry that defines the static group, then use the Referential Integrity plug-in to ensure that deleted user entries are automatically deleted from the static group.
There are some performance and access control considerations with the Referential Integrity plug-in. For more information about using referential integrity with chaining, see Section 2.3.2, “Configuring the Chaining Policy”.
  1. In the Directory Server Console, select the Directory tab.
  2. In the left pane, right-click the entry under which to add a new group, and select New > Group.
    Alternatively, go to the Object menu, and select New > Group.
  3. Click General in the left pane. Type a name for the new group in the Group Name field (the name is required), and enter a description of the new group in the Description field.
  4. Click Members in the left pane. In the right pane, select the Static Group tab. Click Add to add new members to the group.
  5. In the Search drop-down list, select what sort of entries to search for (users, groups, or both) then click Search.
  6. Select the members from the returned entries, and click OK.
  7. Click Languages in the left pane to add language-specific information for the group.
  8. Click OK to create the new group. It appears in the right pane.
To edit a static group, double-click the group entry, and make the changes in the editor window. To view the changes, go to the View menu, and select Refresh.

NOTE

The Console for managing static groups may not display all possible selections during a search operation if there is no VLV index for users' search. This problem occurs only when the number of users is 1000 or more and there is no VLV index for search. To work around the problem, create a VLV index for the users suffix with the filter (objectclass=person) and scope sub-tree.

11.1.2. Creating Dynamic Groups in the Console

Dynamic groups filter users based on their DN and include them in a single group.
  1. In the Directory Server Console, select the Directory tab.
  2. In the left pane, right-click the entry under which to add a new group, and select New > Group.
    Alternatively, go to the Object menu, and select New > Group.
  3. Click General in the left pane. Type a name for the new group in the Group Name field (the name is required), and enter a description of the new group in the Description field.
  4. Click Members in the left pane. In the right pane, select the Dynamic Group tab. Click Add to create a LDAP URL for querying the database.
  5. Enter an LDAP URL in the text field or select Construct to be guided through the construction of an LDAP URL.
    The results show the current entries (group members) which correspond to the filter.
  6. Click Languages in the left pane to add language-specific information for the group.
  7. Click OK. The new group appears in the right pane.
To edit a dynamic group, double-click the group entry to open the editor window, and make whatever changes to the dynamic group. To view the changes to the group, go to the View menu, and select Refresh.

NOTE

The Console for managing dynamic groups may not display all possible selections during a search operation if there is no VLV index for users' search. This problem can occur when the number of users is 1000 or more and there is no VLV index for search. To work around the problem, create a VLV index for the users suffix with the filter (objectclass=person) and scope sub-tree.

11.1.3. Creating Groups in the Command Line

Creating both static and dynamic groups from the command line is a similar process. A group entry contains the group name, the type of group, and a members attribute.
There are several different options for the type of group; these are described in more detail in the Schema Reference. The type of group in this case refers to the type of defining member attribute it has:
  • groupOfNames is a simple group, that allows any entry to be added. The attribute used to determine members for this is member.
  • groupOfUniqueNames, like groupOfNames, simply lists user DNs as members, but the members must be unique. This prevents users being added more than once as a group member, which is one way of preventing self-referential group memberships. The attribute used to determine members for this is uniqueMember.
  • groupOfURLs uses a list of LDAP URLs to filter and generate its membership list. This object class is required for any dynamic group and can be used in conjunction with groupOfNames and groupOfUniqueNames.
  • groupOfCertificates is similar to groupOfURLs in that it uses an LDAP filter to search for and identify certificates (or, really, certificate names) to identify group members. This is useful for group-based access control, since the group can be given special access permissions. The attribute used to determine members for this is memberCertificate.
Table 11.1, “Dynamic and Static Group Schema” lists the default attributes for groups as they are created from the command line.

Table 11.1. Dynamic and Static Group Schema

Type of Group Group Object Classes Member Attributes
Static groupOfUniqueNames uniqueMember
Dynamic
groupOfUniqueNames
groupOfURLs
 memberURL

A static group entry lists the specific members of the group. For example: 
/usr/lib64/mozldap/ldapmodify -a -D "cn=directory manager" -w secret -p 389 -h server.example.com

dn: cn=static group,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: groupofuniquenames
cn: static group
description: Example static group.
uniqueMember: uid=mwhite,ou=People,dc=example,dc=com
uniqueMember: uid=awhite,ou=People,dc=example,dc=com
A dynamic group uses at least one LDAP URL to identify entries belonging to the group and can specify multiple LDAP URLs or, if used with another group object class like groupOfUniqueNames, can explicitly list some group members along with the dynamic LDAP URL. 
/usr/lib64/mozldap/ldapmodify -a -D "cn=directory manager" -w secret -p 389 -h server.example.com

dn: cn=dynamic group,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: groupofuniquenames
objectClass: groupofurls
cn: dynamic group
description: Example dynamic group.
memberURL: ldap:///dc=example,dc=com??sub?(&(objectclass=person)(cn=*sen*))

11.1.4. Using the memberOf Attribute to Manage Group Membership Information

The entries which belong to a group are defined, in some way, in the group entry itself. This makes it very easy to look at a group and see its members and to manage group membership centrally. However, there is no good way to find out what groups a single user belongs to. There is nothing in a user entry which indicates its memberships, as there are with roles.
The MemberOf Plug-in correlates group membership lists to the corresponding user entries. An instance of the MemberOf Plug-in analyzes the member attribute (by default, member) in a group entry and automatically writes a corresponding memberOf attribute in the member's entry. As membership changes, the plug-in updates the memberOf attributes on the user entries. The MemberOf Plug-in provides a way to view the groups to which a user belongs simply by looking at the entry, including nested group membership. It can be very difficult to backtrack memberships through nested groups, but the MemberOf Plug-in shows memberships for all groups, direct and indirect.

NOTE

The most common people object classes — such as inetorgperson and person — do not allow the memberof attribute. To allow the MemberOf Plug-in to add the memberof attribute to a user entry, make sure that that entry belongs to the inetUser object class, which does allow the memberof attribute.
Similarly, if an attribute other than memberof is used in the user entry, then make sure that the user entry belongs to an object class that allows that attribute.

IMPORTANT

The memberOf attributes for user entries should not be replicated in multi-master environments. Make sure that the memberOf attribute is excluded from replication in the replication agreement. (Fractional replication is described in Section 9.1.7, “Replicating a Subset of Attributes with Fractional Replication”.)
Each server must maintain its own MemberOf Plug-in independently. To make sure that the memberOf attributes for entries are the same across servers, simply configure the MemberOf Plug-in the same on all servers.
With single-master replication, it is perfectly safe to replicate memberOf attributes. Configure the MemberOf Plug-in for the supplier, then replicate the memberOf attributes to the consumers.
The MemberOf Plug-in manages member attributes for static groups, not dynamic groups or circular groups.

11.1.4.1. The MemberOf Plug-in Syntax

The MemberOf Plug-in instance defines two attributes, one for the group member attribute to poll (memberofgroupattr) and the other for the attribute to create and manage in the member's user entry (memberofattr).
The plug-in instance also gives the plug-in path and function to identify the MemberOf Plug-in and contains a state setting to enable the plug-in, both of which are required for all plug-ins. The default MemberOf Plug-in is shown in Example 11.1, “Default MemberOf Plug-in Entry” and the different parameters are described in Table 11.2, “MemberOf Syntax”.

Example 11.1. Default MemberOf Plug-in Entry

 dn: cn=MemberOf Plugin,cn=plugins,cn=config
 objectClass: top
 objectClass: nsSlapdPlugin
 objectClass: extensibleObject
 cn: MemberOf Plugin  
 nsslapd-pluginPath: libmemberof-plugin   
 nsslapd-pluginInitfunc: memberof_postop_init   
 nsslapd-pluginType: postoperation
 nsslapd-pluginEnabled: on  
 nsslapd-plugin-depends-on-type: database
 memberofgroupattr: member   
 memberofattr: memberOf   
 nsslapd-pluginId: memberof
 nsslapd-pluginVersion: 8.2.4
 nsslapd-pluginVendor: Red Hat, Inc.
 nsslapd-pluginDescription: memberof plugin

Table 11.2. MemberOf Syntax

Plug-in Attribute Description
cn Gives a unique name for the plug-in instance.
memberofgroupattr Gives the attribute in the group entry to poll to identify member DNs. By default, this is the member attribute, but it can be any attribute used to identify group members, such as uniqueMember.
memberofattr Gives the attribute for the plug-in to create and manage on the user entry. By default, this is the memberOf attribute.
nsslapd-pluginEnabled Sets whether the plug-in instance is enabled (active) or disabled. The default MemberOf Plug-in instance is disabled by default.
nsslapd-pluginPath Gives the name of the specific plug-in to load. This must be libmemberof-plugin.
nsslapd-pluginInitfunc Gives the name of the function to call to initialize the plug-in. This must be memberof_postop_init.

11.1.4.2. Configuring an Instance of the MemberOf Plug-in from the Command Line

The attributes defined in the MemberOf Plug-in can be changed, depending on the types of groups used in the directory.
11.1.4.2.1. Editing the MemberOf Plug-in from the Console
  1. Select the Configuration tab, and expand to the Plugins folder.
  2. Scroll to the Memberof Plugin entry.
  3. Make sure that the plug-in is enabled. This is disabled by default.
  4. Click the Advanced button to open the Advanced Properties Editor.
  5. The memberofgroupattr attribute sets the attribute in the group entry which the server uses to identify member entries. The memberofattr attribute sets the attribute which the plug-in creates and manages on user entries.
  6. Save the changes.
  7. Restart the server to update the plug-in. For example, open the Tasks tab and click the Restart server task.
11.1.4.2.2. Editing the MemberOf Plug-in from the Command Line
  1. Enable the MemberOf Plug-in. 
    /usr/lib64/mozldap/ldapmodify -D "cn=directory manager" -w secret -p 389 -h server.example.com

dn: cn=MemberOf Plugin,cn=plugins,cn=config
changetype: replace
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on
-
  2. Set the attribute to use for the group member entry attribute. For example: 
    /usr/lib64/mozldap/ldapmodify -D "cn=directory manager" -w secret -p 389 -h server.example.com

dn: cn=MemberOf Plugin,cn=plugins,cn=config
changetype: replace
replace: memberofgroupattr
memberofgroupattr: uniqueMember
-
  3. Set the attribute to set on the user entries to show group membership. For example: 
    /usr/lib64/mozldap/ldapmodify -D "cn=directory manager" -w secret -p 389 -h server.example.com

dn: cn=MemberOf Plugin,cn=plugins,cn=config
changetype: replace
replace: memberofattr
memberofattr: memberOf
-
  4. Restart the Directory Server to load the modified new plug-in instance. 
    service dirsrv restart instance_name

11.1.4.3. Synchronizing memberOf Values

The MemberOf Plug-in automatically manages the memberOf attribute on group member entries, based on the configuration in the group entry itself. However, the memberOf attribute can be edited on a user entry directly (which is improper) or new entries can be imported or replicated over to the server that have a memberOf attribute already set. These situations create inconsistencies between the memberOf configuration managed by the server plug-in and the actual memberships defined for an entry.
Directory Server has a memberOf repair task which manually runs the plug-in to make sure the appropriate memberOf attributes are set on entries. There are three ways to trigger this task:
  • In the Directory Server Console
  • Using the fixup-memberof.pl script
  • Running a cn=memberof task,cn=tasks,cn=config tasks entry

NOTE

The memberOf regeneration tasks are run locally, even if the entries themselves are replicated. This means that the memberOf attributes for the entries on other servers are not updated until the updated entry is replicated.
11.1.4.3.1. Initializing and Regenerating memberOf Attributes Using fixup-memberof.pl
The fixup-memberof.pl script launches a special task to regenerate all of the memberOf attributes on user entries based on the member attributes in the group entries. This is a clean-up task which synchronizes the membership defined in group entries and the corresponding user entries and overwrites any accidental or improper edits on the user entries.
  1. Open the tool directory for the Directory Server instance, /usr/lib/dirsrv/slapd-instance_name/.
  2. Run the script, binding as the Directory Manager. 
    ./fixup-memberof.pl -D "cn=Directory Manager" -w password
The fixup-memberof.pl command is described in more detail in the Configuration and Command-Line Tool Reference.
11.1.4.3.2. Initializing and Regenerating memberOf Attributes Using ldapmodify
Regenerating memberOf attributes is one of the tasks which can be managed through a special task configuration entry. Task entries occur under the cn=tasks configuration entry in the dse.ldif file, so it is also possible to initiate a task by adding the entry using ldapmodify. As soon as the task is complete, the entry is removed from the directory.
The fixup-memberof.pl script creates a special task entry in a Directory Server instance which regenerates the memberOf attributes.
To initiate a memberOf fixup task, add an entry under the cn=memberof task, cn=tasks,cn=config entry. The only required attribute is the cn for the specific task. 
/usr/lib64/mozldap/ldapmodify -a -D "cn=directory manager" -w secret -p 389 -h server.example.com

dn: cn=example memberof,cn=memberof task,cn=tasks,cn=config
cn:example memberof
As soon as the task is completed, the entry is deleted from the dse.ldif configuration, so it is possible to reuse the same task entry continually.
The cn=memberof task configuration is described in more detail in the Configuration and Command-Line Tool Reference.