Use > Hardening > Universal CMDB Login Authentication > Example: How to Configure Dynamic LDAP Groups

Example: How to Configure Dynamic LDAP Groups

Starting with version 10.32, support for dynamic groups is available. This example shows how to configure dynamic LDAP groups in UCMDB server.

In the LDAP server we have created a user with the ID common_user.

Next we add a dynamic group containing this user:

This group is in the same organization unit OU:Groups with our previous non-root groups.

We add this group to the root group members.

We have the LDAP server configuration previously set.

In SunONE the dynamic groups have the group class different from the static groups: groupOfURLs.

So first we must update the Group Base Filter attribute. In this case the new value will be:

(|(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs))

If our root group is dynamic we must also update the root group filter to contain the: (objectclass=groupOfURLs)

To configure the dynamic groups, use the following JMX Method:

Parameter Name Parameter description and how to configure the parameter
ldapHost

The host name of an already configured LDAP server.

In our case HM: myvm.mylabs.adapps.mydomain.com

dynamicGroupsClass

The class from which the groups inherit. In SunONE a static group inherits from the groupOfUniqueNames object class, so in our case it is:

groupOfUniqueNames

dynamicGroupsDescAttribute

Defines the description of the dynamic groups. In our case it is the same as for static groups:

desc

dynamicGroupsDisplayNameAttribute

Defines the display name of the dynamic groups. We have:

cn

dynamicGroupsMemberAttribute

The group members are found using this attribute. For dynamic groups our value is:

memberURL

dynamicGroupsNameAttribute

Defines the dynamic group name. We have the same value as for the static groups:

cn

Now you have successfully configured the dynamic groups.

In case you want to enable/disable the dynamic group configurations for an LDAP server, you need invoke the useDynamicGroups JMX method by filling the host name and set the isEnabled flag to true/false.

Test if it works:

Now that you have dynamic groups enabled, you can map the dynamic groups to UCMDB groups.

If you authenticate with an LDAP user that is a member of a dynamic group and that group was mapped to a UCMDB group, the user created in UCMDB should now be a member of the mapped UCMDB group.

For example:

We map the LDAP group Dynamic to the UCMDB groups we want. We mapped it to a group named Admin with the admin and superadmin roles.

We have our user common_user. With the dynamic groups disabled, we authenticate with the common_user. Because the user cannot be found in the Dynamic group, he/she will be mapped to the default UCMDB group configured in the LDAP setting. In our case UCMDBGroup:

Now we enable dynamic groups. If the settings are right and we authenticate again with the common_user, now we will be mapped to the mapped UCMDB group (Admin):