Anonymous_User Absent Member.
Absent Member.
413 views

Definition for the "member" attribute


Hello.


I have a question about the "member" attribute for groups.

According to the documentation of Active Directory, this attribute can
contain "user, group, and contact objects" -
https://msdn.microsoft.com/en-us/library/ms676913(v=vs.85).aspx

In RFC 4519, this attribute contains "distinguished names of objects",
objects aren't typed - https://tools.ietf.org/html/rfc4519#page-11

In documentation of eDirectory, "a Group object represents a set of User
objects" - http://tinyurl.com/k3h2tuh

Also, if we put a DN of a group in the member attribute of another
group, that is a violation of group definition in eDirectory, correct?

This question is about synchronization between an eDirectory and an
Active Directory.


Lilian


--
lgallet
------------------------------------------------------------------------
lgallet's Profile: https://forums.netiq.com/member.php?userid=5343
View this thread: https://forums.netiq.com/showthread.php?t=52796

Labels (1)
0 Likes
5 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Definition for the "member" attribute

On 02/11/2015 03:44 AM, lgallet wrote:
>
> According to the documentation of Active Directory, this attribute can


Which is irrelevant to anything but MAD itself...

> contain "user, group, and contact objects" -
> https://msdn.microsoft.com/en-us/library/ms676913(v=vs.85).aspx
>
> In RFC 4519, this attribute contains "distinguished names of objects",
> objects aren't typed - https://tools.ietf.org/html/rfc4519#page-11


Yes, makes sense, though whether or not you get anything out of any old
object is, I believe, left undefined. Essentially 'member' is a pointer to
an object, and how the system treats a member depends on what that object is.

> In documentation of eDirectory, "a Group object represents a set of User
> objects" - http://tinyurl.com/k3h2tuh


And "user objects" is specific here. Sure, you can probably point to a
server object, or a customClassOfYours object, but getting benefits of
group membership will not apply unless eDirectory knows that it should.

> Also, if we put a DN of a group in the member attribute of another
> group, that is a violation of group definition in eDirectory, correct?


This is NOT correct; there is a separate attribute to be used for nested
group relationships: groupMember

> This question is about synchronization between an eDirectory and an
> Active Directory.


After tinkering a bit based on the information above to fully understand
(presumably) nested group membership, you may want to do some
experimenting in a test IDM environment and then post follow-up questions
and level three traces in the IDM engine/drivers forum. Also, the IDM
docs talk about nested groups a bit explicitly because they are a weirder
beast than a standard group/member relationship:

https://www.netiq.com/documentation/idm45/policy/data/policynestedgroups.html

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Definition for the "member" attribute


Ok, it confirms what I understood.


--
lgallet
------------------------------------------------------------------------
lgallet's Profile: https://forums.netiq.com/member.php?userid=5343
View this thread: https://forums.netiq.com/showthread.php?t=52796

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Definition for the "member" attribute

On Wed, 11 Feb 2015 10:44:08 +0000, lgallet wrote:

> Hello.
>
>
> I have a question about the "member" attribute for groups.
>
> According to the documentation of Active Directory, this attribute can
> contain "user, group, and contact objects" -
> https://msdn.microsoft.com/en-us/library/ms676913(v=vs.85).aspx
>
> In RFC 4519, this attribute contains "distinguished names of objects",
> objects aren't typed - https://tools.ietf.org/html/rfc4519#page-11


Correct, yes.


> In documentation of eDirectory, "a Group object represents a set of User
> objects" - http://tinyurl.com/k3h2tuh
>
> Also, if we put a DN of a group in the member attribute of another
> group, that is a violation of group definition in eDirectory, correct?


Yes, and no. While you can nest groups in eDirectory, doing so doesn't
necessarily do what you expect. To understand why, and how it's different
from Active Directory, you have to look at the history of the services.

In both eDirectory (eDir) and Active Directory (MAD), a Group object is a
security principal, so you can group a bunch of objects (usually
representing people) together and give them rights to something. That
something could be file system directories, or a shared printer, or
whatever.

In eDir, an Organizational Unit (OU) is also a security principal. You
can grant rights to do something to an OU object. eDir then implements a
concept of inheritance, so that all objects in or below a particular OU
are security equivalent to the OU, so they gain any rights you grant to
the OU object. You can, for example, grant OU=Finance the rights to use
the shared printer in their office, then all User objects you create
under OU=Finance automagically inherit the rights to use the printer. eDir
calls this a security equivalence vector.

In MAD, an OU is _not_ a security principal. You can't do anything with
the OU=Finance container that means anything to any User objects created
in it. Recognizing that inheritance is a powerful tool, MAD implements
it, but differently, using nested groups. So instead of building a
structured tree design and having rights to things flow to User objects
from their location in the tree, MAD administrators tend to build a
structure of nested groups to do the same thing. So all people working in
the Finance division are, either directly or by a series of nested
groups, eventually seen as members of the Finance group, so that they can
inherit the rights the Finance division members are supposed to have.

So what happens in eDir if you nest groups? You can do so, there's
nothing in the schema or actual rules to stop you. Some of the
administration tools (ConsoleOne, for example) won't do it, but won't
complain if you do it another way (LDIF). Nothing, really.

But, when the security equivalence vector is calculated for a User, it
looks like:

User
+ Groups User is a member of (*)
+ Objects that User is Security Equivalent To (**)

(*) This is direct memberships and does _not_ include any nested groups
you may build, nor does it include any dynamic groups.

(**) This is objects that are listed on the Security Equal To attribute,
plus the parent containers of the object, up to the [Root] of the tree.

So if you build a nested group structure in eDir, thinking that it'll
work like MAD's nested groups for assigning rights to things, you'll be
unhappily surprised when you discover that (*) is the case.


> This question is about synchronization between an eDirectory and an
> Active Directory.


That sounds like IDM, or possibly you're doing something similar with a
different product. In IDM cases, nested groups may make sense in some
environments, and maybe should be built in the ID vault, but you may need
to unroll the nesting in to environments where they do not make sense. I
think Father Ramon posted some thoughts on how to do so a long time ago
in the idm.engine-drivers forum.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Definition for the "member" attribute


Thanks for the informations on the differences between eDirectory and
AD, it can be useful.

Our problematic isn't about security but on the creation of imbricated
groups (where the list of members doesn't contain herited members), with
synchronization between eDir and AD. So the first thing we think is to
copy groups as they are in AD.

But if I understand correctly, the best things to make (for conceptual
respect) are :
- in AD, put imbricated groups in "member" attribute ;
- in eDir, put imbricated groups in "groupMember" attribute and use
nestedGroupAux class with "nestedConfig" attribute valued to 1.

Note: yes, we use IDM.


--
lgallet
------------------------------------------------------------------------
lgallet's Profile: https://forums.netiq.com/member.php?userid=5343
View this thread: https://forums.netiq.com/showthread.php?t=52796

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Definition for the "member" attribute

On Thu, 12 Feb 2015 08:44:01 +0000, lgallet wrote:

> Thanks for the informations on the differences between eDirectory and
> AD, it can be useful.


You're welcome. I think your plan should work fine. Followup IDM
questions in the idm.engine-drivers forum if you need help with that.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.