Knowledge Partner
Knowledge Partner
804 views

Copy a group object

I'm not sure if this is really an iManager, OES, or eDirectory question.

Anyway:
OES 11 SP1 (yeah yeah, I know)
iManager 2.7 and whatever eDir version was around for SP1.

Anyway, in iManager -> Directory Administration is an option for:
Copy Object.

That gives you 3 main choices:
1) Create new object and copy attribute values
2) Copy attribute values to an existing object

And a checkbox for:
Copy ACL rights

The use case is that we're using Groups for file rights (long story, we're being forced to migrate to nasty Windows). In practice, we generally have 3 categories of rights:

Read Only (ie: RF) - You can look, copy, but you cannot change, delete, etc.
"full" (ie: RWCEFM) - You can basically do whatever, but no ACL rights
and rarely get the: No Erase (RWCF) - You can look at stuff, put new stuff into the folder, but you cannot overwrite the data or delete the data that's where).

But it's not uncommon to have a Group for Read Only and a Group for "Full" that have the same users in them (file rights are assigned via NSS/Novell Client).

So if you create/populate a group for "read only" it would be nice to copy that group (and it's membership) for the "full" and then you just assign the rights via Novell Client like you normally would.

However, when I use the Copy Object and the first choice in iManager, it creates an empty group. Description is copied as are other attributes, but apparently not Members tab.

Granted, the "?" icon states that this doesn't do that.

Therefore:

Is there a way to do this (short of LDAP stuff and IDM stuff)? I'm assuming this is a limitation of eDir and not iManager (although it could very well be a limitation of iManager, but I don't recall if ConsoleOne had the same issues or not, but that's no longer used).

Thanks!
Labels (1)
0 Likes
6 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Copy a group object

There is no reason in eDirectory why you cannot copy users from one group
to another, which is why the two ways you excluded (LDAP and IDM) make it
pretty easy to do just that, probably moreso with LDAP than IDM. Why you
would exclude those, I have no idea, but it's your call.

One thing to note about the LDAP approach is that you'll still probably
want to modify both attributes on both the user and group sides of the
relationship.

Another thing to note is it sounds like you are talking about filesystem
rights, and those are not stored in eDirectory, so while rights can flow
from eDirectory into the filesystem, there is no such thing as "file scan"
anywhere within eDirectory, so your options for doing granular
filesystem-specific things within eDirectory are very limited. You could
at least have the groups match up, so then you can handle rights on the
group level, but actually dealing with the filesystem rights within
eDirectory is something magically hidden behind tools like iManager, or
the Novell Client, or whatever, which bridge the gap between eDirectory
and NSS behind the scenes.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Copy a group object

ab;2469814 wrote:
There is no reason in eDirectory why you cannot copy users from one group
to another, which is why the two ways you excluded (LDAP and IDM) make it
pretty easy to do just that, probably moreso with LDAP than IDM. Why you
would exclude those, I have no idea, but it's your call.

One thing to note about the LDAP approach is that you'll still probably
want to modify both attributes on both the user and group sides of the
relationship.

Another thing to note is it sounds like you are talking about filesystem
rights, and those are not stored in eDirectory, so while rights can flow
from eDirectory into the filesystem, there is no such thing as "file scan"
anywhere within eDirectory, so your options for doing granular
filesystem-specific things within eDirectory are very limited. You could
at least have the groups match up, so then you can handle rights on the
group level, but actually dealing with the filesystem rights within
eDirectory is something magically hidden behind tools like iManager, or
the Novell Client, or whatever, which bridge the gap between eDirectory
and NSS behind the scenes.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.


Thanks Aaron.

I was just explaining the use case which involved file rights in case someone wondered why you'd want to copy a group object.
In terms of the LDAP stuff, it's so that non-admin users can do this, instead of me having to do all the work.

Ie: I can give a non-tree admin roles in iManager to manage the group membership, no sense in me having to LDAP manipulate it.

But unfortunately it appears the only way to copy a group object with the members intact is LDAP or IDM.
Although I'll have to see if AD can do it, since we sync eDir/AD.
Maybe the MMC can do this, but I don't know.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Copy a group object

On 11/10/2017 03:04 PM, kjhurni wrote:
>
> I was just explaining the use case which involved file rights in case
> someone wondered why you'd want to copy a group object.
> In terms of the LDAP stuff, it's so that non-admin users can do this,
> instead of me having to do all the work.
>
> Ie: I can give a non-tree admin roles in iManager to manage the group
> membership, no sense in me having to LDAP manipulate it.


If you give a user roles in iManager, i.e. Role Based Services (RBS)
roles, that literally grants rights in eDirectory (iManager does not proxy
that stuff magically), meaning they can then go in with any old tool,
including Apache Directory Studio (which interacts via LDAP), and do the
work in the LDAP way.

> But unfortunately it appears the only way to copy a group object with
> the members intact is LDAP or IDM.
> Although I'll have to see if AD can do it, since we sync eDir/AD.
> Maybe the MMC can do this, but I don't know.


If you give a user rights within microsoft active directory (MAD) then you
are still doing the same thing, giving them rights over objects, and that
is no different from using LDAP.

I think sometimes iManager's RBS stuff feels like it is only specific to
iManager stuff, but that has been a common misunderstanding for a long
time. When granting somebody access to something via RBS the iManager
interfaces grants ACLs in eDirectory to do those things, and sometimes
those things are even granting Supervisor rights (because that is what is
needed for some operations), so granting rights via RBS is something to be
done carefully, like any rights grants in any system.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Copy a group object

ab;2469821 wrote:
On 11/10/2017 03:04 PM, kjhurni wrote:
>
> I was just explaining the use case which involved file rights in case
> someone wondered why you'd want to copy a group object.
> In terms of the LDAP stuff, it's so that non-admin users can do this,
> instead of me having to do all the work.
>
> Ie: I can give a non-tree admin roles in iManager to manage the group
> membership, no sense in me having to LDAP manipulate it.


If you give a user roles in iManager, i.e. Role Based Services (RBS)
roles, that literally grants rights in eDirectory (iManager does not proxy
that stuff magically), meaning they can then go in with any old tool,
including Apache Directory Studio (which interacts via LDAP), and do the
work in the LDAP way.

> But unfortunately it appears the only way to copy a group object with
> the members intact is LDAP or IDM.
> Although I'll have to see if AD can do it, since we sync eDir/AD.
> Maybe the MMC can do this, but I don't know.


If you give a user rights within microsoft active directory (MAD) then you
are still doing the same thing, giving them rights over objects, and that
is no different from using LDAP.

I think sometimes iManager's RBS stuff feels like it is only specific to
iManager stuff, but that has been a common misunderstanding for a long
time. When granting somebody access to something via RBS the iManager
interfaces grants ACLs in eDirectory to do those things, and sometimes
those things are even granting Supervisor rights (because that is what is
needed for some operations), so granting rights via RBS is something to be
done carefully, like any rights grants in any system.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.


Thanks Aaron. While i understand that iManager gives the rights via Roles (you could also do it via other tools), my point is that a user that can barely function in iManager will most certainly NOT be able to run Apache Directory Studio and do LDIF stuff.

Thus, the "GUI" of iManager was preferred.

Unless I'm mistaken, even if I use Apache Directory Studio, I would have to:
a) Export the group that the users want copied.
b) "Massage" the LDIF file appropriately (probably just rename the cn and make sure that the old value isn't elsewhere in the LDIF file)
c) Import the LDIF file
d) Then Massage the file some more to get the list of users and perform LDIF operations on all the users (because if I recall, when using LDAP to modify groups in eDirectory there's the reciprocal attributes that you have to make sure you modify on both the group object and the user object).

Or did "d" somehow change and you only have to import a Group object and no longer have to mess with the corresponding user objects as well?

Now, try explaining all the above to a user that can barely function in iManager, and you can see why I'm trying to find a simple, GUI-tool that one could just right-click and copy or something similar.

Granting the rights isn't the issue here (technically the "helpers" have the appropriate admin rights to their own little ou already). It's the tool needed to copy a group object that I'm after that's "simple" for someone to understand.

I'm going to play with the AD MMC today and see what, if anything, it can do.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Copy a group object

This is the kind of task you could create with a script and have them just
specify the groups to copy and it would be pretty slick. For example,
they SSH into a server (or use their own system if they have a valid
shell, or can add Cygwin for one, or something) you could make a script
that lets them do nothing more than type in the source group name, type in
the target group name, and possibly enter their password (unless you want
to store a password in the script or something) after confirming things.
I've done this for a lot of clients who are not super IT gurus, but
because they work in IT is it not unreasonable to expect them to learn
tiny things like how to run two commands, one of which can be done from a
GUI-based SSH client.

Making those scripts is really easy too, and something we could work
through here easily. On the other hand, I do not know why iManager would
have that limitation, so you could probably work around it with a custom
plugin (Plug-In Studio could let you create that) or via an enhancement
request to Micro Focus.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Copy a group object

kjhurni;2469809 wrote:
I'm not sure if this is really an iManager, OES, or eDirectory question.

Anyway:
OES 11 SP1 (yeah yeah, I know)
iManager 2.7 and whatever eDir version was around for SP1.

Anyway, in iManager -> Directory Administration is an option for:
Copy Object.

That gives you 3 main choices:
1) Create new object and copy attribute values
2) Copy attribute values to an existing object

And a checkbox for:
Copy ACL rights

The use case is that we're using Groups for file rights (long story, we're being forced to migrate to nasty Windows). In practice, we generally have 3 categories of rights:

Read Only (ie: RF) - You can look, copy, but you cannot change, delete, etc.
"full" (ie: RWCEFM) - You can basically do whatever, but no ACL rights
and rarely get the: No Erase (RWCF) - You can look at stuff, put new stuff into the folder, but you cannot overwrite the data or delete the data that's where).

But it's not uncommon to have a Group for Read Only and a Group for "Full" that have the same users in them (file rights are assigned via NSS/Novell Client).

So if you create/populate a group for "read only" it would be nice to copy that group (and it's membership) for the "full" and then you just assign the rights via Novell Client like you normally would.

However, when I use the Copy Object and the first choice in iManager, it creates an empty group. Description is copied as are other attributes, but apparently not Members tab.

Granted, the "?" icon states that this doesn't do that.

Therefore:

Is there a way to do this (short of LDAP stuff and IDM stuff)? I'm assuming this is a limitation of eDir and not iManager (although it could very well be a limitation of iManager, but I don't recall if ConsoleOne had the same issues or not, but that's no longer used).

Thanks!


It's been a while, but I seem to recall that you can "copy" a Group in iManager, but the results are not what you'd hope for. I seem to recall that it does copy the Members attribute just fine, but it doesn't then go update the User objects' Group Membership and Security Equal To attributes. So, depending on where you look, they may or may not appear to be members of the group, but without Security Equal To, they don't inherit any rights from the group that they sort of are in.

If my memory is correct, you could probably fix this with a Null driver.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.