NDS Groups#NDS Groups have some interesting aspects that developers and administrators need to keep in mind when performing their duties.
Group Management With Novell Tools#When using Novell's tools (iManager, ConsoleOne and NWAdmin) the tools perform some background operations that developers and administrators need to know about.
When Adding a User to a Group#Regardless of which method or tool is used the following attributes should be set on the Group entry:
- member - A FDN of the user entry.
- equivalentToMe - A FDN of the user entry. The equivalentToMe value is used to allow rights with the NDS Tree to be evaluated to determine who has equivalent rights to the group. In pure LDAP environment, where rights are not required within the Tree, this is optional.
- GroupMembership - A FDN of the Group entry.
- securityEquals - A FDN of the Group entry. The securityEquals value is used to allow rights with the NDS Tree to be evaluated to determine this entries equivalent rights to the group. In pure LDAP environment, where rights are not required within the Tree, this is optional.
When NOT using Novell's tools, often only the member attribute of the group entry are set.
In addition, there are times in various versions that Novell's tools bugs in the tools fail to set the attributes.
Referential Integrity of Distinguished Name Syntax#NDS maintains referential integrity on any values that are of the Distinguished Name syntax.
The good news if that if the member attribute is contains a user entry FDN and the user entry is removed, the member attribute value for the removed user entry will be removed.
Generically, here are the rules to keep in mind on NDS referential Integrity:
- Any attribute that is a distinguished name (DN) must reference an existing entry. This means you cannot populate a DN syntax attribute unless the referenced entry already exist.
- If a referenced entry is moved from one location in the directory tree to another, NDS will automatically fix up the DN to reference the entry in its new location.
- If a referenced entry is deleted in the directory tree, NDS will automatically remove the DN value of the referenced entry.