Dynamic members attribute

Question

Can someone describe an example of how to use the "Dynamic members attribute" option when using the LDAP resource group mapping method?  The help text mentions a URL to point to, but it's not clear what the URL is or how this ties together.  I checked the Firepass wiki and didn't get an example there. 
&nbsp;  
&nbsp; Currently I'm doing group mappings via LDAP and comparing the user's DN to a group object's static members attribute.  It turns out that we're going to have more members than the maximum allowed in a single group by our LDAP implementation so I'm left looking for the most suitable alternative method of authorizing access via LDAP. 
&nbsp;  
&nbsp; As for the directory we might move to a group-of-groups scenario but I'm not sure how I'll map users into those groups-in-a-group.  Maybe if I understood the "dynamic members attribute" my problem would be solved.  Hey, a guy can dream. 
&nbsp;  
&nbsp; Cheers!

mal_57091 · Answer

Hey Michael, 
&nbsp;  
&nbsp; I just took a read through 6.0.3 admin guide on Dynamic member attribute and found (page 2-35): 
&nbsp;  
&nbsp; In the Fetch group information from LDAP group object area, specify the attributes in the appropriate box. 
&nbsp; • The Static members attribute relates to objects with multi-valued membership attributes such as the attribute that contains the list of the user’s DNs, for example, groupofNames, groupofUniqueNames. 
&nbsp; • The Dynamic members attribute determines membership by executing an LDAP URL, for example, groupOfURLs, or an LDAP query that specifies criteria for a group’s membership.  
&nbsp;  
&nbsp; Note: There is no group object, as such. That is, the LDAP URL exists only in the application that is using it. 
&nbsp;  
&nbsp; To be honest i'm not a real LDAP guru but hopefully that helps.  
&nbsp;  
&nbsp; So are you using LDAP for authentication or Group Mapping? Are you on 6.0.2 or 6.0.3? If so are you doing Resource Group mapping in each individual Master Group or globally? There may be a lot of value for you in separating up your Resource Group mappings on a per-Master Group basis. Perhaps this may save you having to maintain an LDAP database from hell ;-) 
&nbsp;  
&nbsp; Kind Regards, 
&nbsp; Mal

mike_ho · Answer

Hi Mal, thanks for the reply.  I am using 6.0.2 and the group mapping I'm talking about is a master group resource mapping.  I do LDAP authentication as well but that works fine and is out of scope of this topic.  In this case I have several thousand user DNs that need to be mapped to the master group in question, but the Domino directory can't support that many DNs in one group.  
&nbsp;  
&nbsp; I'm really just looking for working examples of how the "Dynamic members attribute" group resource mapping works so I can evaluate whether it can help me solve my problem.  
&nbsp;  
&nbsp; I checked to see if I can wildcard the group object DN in an LDAP group object resource group mapping method and you can not, at least not using notation like "CN=AuthorizedGroup*" and having group DNs "CN=AuthorizedGroup1" and "CN=AuthorizedGroup2" defined with members in LDAP.

Forum Discussion

Dynamic members attribute

2 Replies

Recent Discussions

F5 terminal - help to run commands - disk space full

vulnerabilities-CVE-2020-16150 & CVE-2013-0169

google autenticator broken barcode

Error while running ansible

ASM instance creation

Related Content

Add SameSite attribute to APM Cookies

Lightboard Lessons: HTTP Cookie SameSite Attribute

Regex for dynamic URI

Set the SameSite Attribute for LTM Persistence Cookies

DevCentral's Featured Member for February - Edouard Zorrilla