Can I use dynamic groups to determine users import from eDir via LDAP ?

  • Document ID:7010543
  • Creation Date:01-Aug-2012
  • Modified Date:01-Aug-2012
    • Micro Focus Products:
      Vibe

Environment

Novell Vibe OnPrem

Situation

You can determine who gets imported into Vibe from eDir by adding extra criteria in the import filter. For instance, add to a default user import filter a part that limits the import of users to ones that are members of a specific group.
This would like similar like example bellow. A default user import filter looks like:
 
(|(objectClass=Person)(objectClass=orgPerson)(objectClass=inetOrgPerson))

You can condition the import by a group membership, which would be then:
 
(& (|(objectClass=Person)(objectClass=orgPerson)(objectClass=inetOrgPerson)(groupwMembership=cn=<group_name>))
 
This trick works fine for static groups but fails on a dynamic groups.

Resolution

In eDir if you add a user to a static group then a user object (objectClass user) gets extra attribute groupMembership. You can use this his new attribute to filter out users import.
However, if a user is added to a dynamic group via assigned attribute that is used to determine membership of the dynamic group, this membership is not visible on a user object. In other words, there is no groupMembership attribute added. If you check a user object, you would not see whether or not this user was added to a dynamic group. Therefore you cannot use a user being member of a dynamic group as some attribute criteria for importing users into Vibe.
 
Since Vibe 33 there is a support for dynamic groups but this is not meant to be used as a user import criteria. Dynamic groups can be defined locally in Vibe or you can import them into Vibe from eDir via LDAP. However, importing groups into Vibe does not automatically grant group members vibe accounts. Groups (static or dynamic) are meant to grant rights to specific Vibe parts as far as you have already your account in Vibe and you are also a member of the group.
A membership of dynamic groups can be controlled via eDir attributes added or removed from a user eDir account. Alike with a static group, if you are a member of the dynamic group, this does not grant you access to the Vibe yet. It can grant you rights to a specific part of the Vibe only if you also exist in Vibe as a regular user.