Administration Guide › Set Up Groups and Roles › Static Groups and Roles › Active Directory memberOf Attribute › How memberOf Updates are Triggered

How memberOf Updates are Triggered

When a group entry or member is updated, CA Directory can trigger a memberOf Update. In the following description, group entry is a groupOfNames or groupOfUniqueNames, and a member includes a uniqueMember.

The following are the types of updates that can trigger a memberOf update:

• Modify adding one or more DNs to member attribute of group entry
• Modify removing one or more DNs from member attribute of group entry
• Add group entry containing one or more DN member attributes
• Remove group entry containing one or more DN member attributes

When a data DSA recieves a modify request, the following occurs:

1. CA Directory inspects its contents to determine whether all the following conditions are true:
   • The baseObject of the update is subordinate to a DN from the list of configured 'memberof-group-containers'.
   • The baseObject exists for a modify or delete request, and the baseObject does not exist for an add request.
   • The update applies locally.
   • The user performing the update has the appropriate AC to perform the operation.
2. For each member attribute that is subordinate to a DN from the list of configured 'memberof-user-containers':
   1. The request is performed on the user entry, and the group DN is added to or removed from memberOf, and a rollback modify is created.
   2. If the request is successful then a a rollback modify is inserted into rollback list. If an error occurs, a rollback is performed.
3. If memberOf attributes have been updated for all user entries the following occurs:
   1. A group update is performed.
   2. If an error occurs, memberOf updates are rolled back.