For each dynamic role, you need to create an entry in the roles subtree using one of these auxiliary object classes:
This object class contains an attribute groupOfNames, which you can use to store the DN.
This object class contains an attribute groupOfUniqueNames.
All role entries must be stored in the same subtree.
To create a dynamic role
ldap:///base-dn??scope?filter
Specifies the base object for the filter search.
(Optional) One of the following:
Specifies that the filter searches the entire subtree below the base DN.
(Default) Specifies that the filter returns just the DN.
Specifies that the filter searches one level below the base DN.
(Optional) Defines the LDAP search filter, for example:
(|(group=teachers)(group=students))
The role is applied to members when they next log in to the directory.
Example: A Dynamic Role Entry
This example shows a dynamic group entry that is used as a role.
The entry is shown in LDIF format:
dn: cn=Manager,ou=Groups,o=Democorp,c=AU objectClass: groupOfNames objectClass: dxDynamicGroupOfNames objectClass: top cn: Manager dxMemberURL:: bGRhcDovLy9jPVFVSz9zdWI/AHNuPOR1bWVsZWXvssUpIA=0
The DN in the dxMemberURL attribute is encoded, because of the attribute's syntax. The unencoded value is as follows:
ldap:///o=Democorp,c=AU??sub?(position=manager)
In this URL, the search's base object and scope are ignored.
Copyright © 2009 CA. All rights reserved. | Email CA about this topic |