In earlier releases of Connector Xpress mapping a group object type implicitly created the association between groups and accounts. However, in this release of Connector Xpress, you have fine-grained control over the associations between accounts and groups on the endpoint system. To define groups and define group membership, you explicitly create associations between classes. You can create direct, reverse, or indirect associations. Creating an association between classes defines the class as a group class.
For JNDI connecters, the group class member attribute is hardwired to contain values of type DN (Distinguished Name). Values of this type are expressed relative to the root of the endpoint directory and enumerate the accounts belonging to each group.
The member attribute for the group class is virtual, meaning that its value is expensive to retrieve, as it has to be computed from group.member rather than being directly looked up. We therefore recommend that you request it with caution.
Some JNDI vendors, notably Novell eDirectory, actually expose the account.memberOf attribute in their schema. However to guarantee consistent behavior across all vendors, you are prohibited from mapping it explicitly. Instead, CA IAM CS implements it as a virtual attribute.
|
Copyright © 2013 CA.
All rights reserved.
|
|