To properly add a user to a group there is actually 4 attributes that needs to be modified:

  • add the FDN of the User to the Member attribute of the Group object
  • add the FDN of the User to the EquivalentToMe attribute of the Group object
  • add the FDN of the Group to the GroupMembership attribute of the User object
  • add the FDN of the Group to the SecurityEquals attribute of the User object

Although the Syntax of the attributes shown are all of DN; referential integrity is enforced on the value supplied, that the entry supplied within the FDN exist, there is nothing to force population of the values.

Because the syntax is of DN, if the user entry is deleted, then the FDN of the User to the Member attribute of the Group object and the FDN of the User to the EquivalentToMe attribute of the Group object are both removed. So, there is referential integrity on the removal of a member value from a group object.

Likewise, if the group is removed, the FDN of the Group to the GroupMembership attribute of the User object and the FDN of the Group to the SecurityEquals attribute of the User object, are removed.

GroupMemberShip Attribute#

Novell's eDirectory has a user attribute "groupMembership" that is used to track the user's group memberships. However, this is a carry-over from the Netware roots of eDirectory.

The "groupMembership" attribute does not support referential integrity and should not be counted on as valid. That is, if a user is added to a group's Member attribute, the groupmembership attribute is not populated by eDirectory; though Novell's management interfaces, iManager and COnsoleOne do populate the groupMemberShip attribute.

From the IDM (DirXML) perspective, renaming of a user or group, will not cause an event as the reference is kept only by the ID number.

The LDAP specification only requires that the group entry have the user's FDN in the "member" attribute.

If Novell's tools, consoleOne or iManager is used to perform adding the user to a group, the tools will perform population of the "groupMembership" attribute. If some other tool is used, the tool will need to populate the "groupMembership" attribute.

If a LDAP call is made to add a user to a group, there is no guarantee that the "groupMembership" attribute is maintained properly.

In addition, if Dyanmic Groups are implemented, the "groupMembership" attribute will not reflect the membership in the dynamic groups.

More info#

The Each member of a group has a relationship as shown below.
          GROUP<=>USER
           equivalentToMe<=>securityEquals
           member<=>GroupMembership
Each of the attributes are of a syntax of DN. This implies everytime one of the attributes is changed, the server checks to see if the corresponfing value exists on the other entry.

When adding a user to a group, if the "member" attribute is populated with a DN, the entry specified within the DN must exist. An LDAP result code of 19, LDAP_CONSTRAINT_VIOLATION will be returned.

When adding a user to a group, if the "equivalentToMe" attribute is populated with a DN, the entry specified within the DN must exist. An LDAP result code of 19, LDAP_CONSTRAINT_VIOLATION will be returned.

Likewise, when attempting to populate the user entry's "groupMembership" is attempted to be populated with a DN, the DN must exist.
Also, when attempting to populate the user entry's "securityEquals" is attempted to be populated with a DN, the DN must exist.

When a user is removed from the LDAP DIT, the groupOfNames entries will be cleaned up.

If the groupOfNames is removed from the LDAP DIT, the user entries will also be cleaned up.

Another issue of using groups is the management of the attributes involved can not be protected. That is, anyone that can add a person to a group, can add the person to any group.

(Is that right? if we protect the group so it is readonly, then I suppose this is not the case, exactly.) But, anyone whom can remove a value from the groupMembership attribute on a user could remove any or all the values.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-3) was last changed on 06-Oct-2011 14:49 by jim