Overview#Groups Edirectory have some interesting aspects that developers and administrators need to keep in mind when performing their duties.
Group Management With Novell Tools#When using Novell's tools (iManager, ConsoleOne and NWAdmin) the tools perform some background operations that developers and administrators need to know about.
When Adding a User to a Group#Regardless of which method or tool is used the following attributes should be set on the Group entry:
- member - A FDN of the user entry.
- equivalentToMe - A FDN of the user entry. The equivalentToMe value is used to allow rights with the NDS Tree to be evaluated to determine who has equivalent rights to the group. In pure LDAP environment, where rights are not required within the Tree, this is optional.
- GroupMembership - A FDN of the Group entry.
- securityEquals - A FDN of the Group entry. The securityEquals value is used to allow rights with the NDS Tree to be evaluated to determine this entries equivalent rights to the group. In pure LDAP environment, where rights are not required within the Tree, this is optional.
When NOT using Novell's tools, often only the member attribute of the group entry are set.
In addition, there are times in various versions that Novell's tools bugs in the tools fail to set the attributes.
The later versions of NetIQ IDM product supports the automatic setting of Reciprocal Attributes when either is set. The driver needs to be enabled for Reciprocal Attributes. Once set, setting GroupMembership on the user will cause the driver to set the member attribute on the appropriate group. This assumes both the user and the group are associated with the driver.
What Does it Mean?#
The securityEquals and equivalentToMe are reciprocal attributes and propriatary feature in EDirectory and are used only to assign permissions within the EDirectory TREE. There is no consequence of these value NOT being present on an entry if there are no permissions assigned to the LDAP entry. If no permissions are assigned within the EDirectory Tree to the Group, then there is no consequence of not populating the securityEquals and equivalentToMe attributes.
Referential Integrity of Distinguished Name Syntax#EDirectory maintains referential integrity on any values that are of the Distinguished Name syntax.
The good news if that if the member attribute is contains a user entry FDN and the user entry is removed, the member attribute value for the removed user entry will be removed.
Generically, here are the rules to keep in mind on NDS referential Integrity:
- Any attribute that is a distinguished name (DN) must reference an existing entry. This means you cannot populate a DN syntax attribute unless the referenced entry already exist.
- If a referenced entry is moved from one location in the directory tree to another, NDS will automatically fix up the DN to reference the entry in its new location.
- If a referenced entry is deleted in the directory tree, NDS will automatically remove the DN value of the referenced entry.