Traditional Static Group Support For Inverted Static Groups Plugin

Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.

The Traditional Static Group Support For Inverted Static Groups Plugin may be used to allow clients to interact with inverted static groups as if they were traditional static groups.

This may include any or all of the following:

Parent Component Properties dsconfig Usage

Parent Component

The Traditional Static Group Support For Inverted Static Groups Plugin component inherits from the Plugin

Properties

The properties supported by this managed object are as follows:


Basic Properties: Advanced Properties:
 description  invoke-for-internal-operations
 enabled
 traditional-static-group-object-class
 maximum-membership-updates-per-modify
 read-operation-support

Basic Properties

description

Description
A description for this Plugin
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

enabled

Description
Indicates whether the plug-in is enabled for use.
Default Value
None
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

traditional-static-group-object-class

Description
The object class that defines the type of traditional static group that this plugin will attempt to emulate for inverted static groups. Changes to this configuration property require either disabling and re-enabling the plugin or restarting the server.
Default Value
groupOfNames
Allowed Values
groupOfNames - Indicates that this plugin should attempt to emulate the behavior of traditional static groups using the "groupOfNames" structural object class, which use the "member" attribute to hold member DNs.

groupOfUniqueNames - Indicates that this plugin should attempt to emulate the behavior of traditional static groups using the "groupOfUniqueNames" structural object class, which use the "uniqueMember" attribute to hold member DNs.

groupOfEntries - Indicates that this plugin should attempt to emulate the behavior of traditional static groups using the "groupOfEntries" structural object class, which use the "member" attribute to hold member DNs.
Multi-Valued
No
Required
No
Admin Action Required
The Traditional Static Group Support For Inverted Static Groups Plugin must be disabled and re-enabled for changes to this setting to take effect. In order for this modification to take effect, the component must be restarted, either by disabling and re-enabling it, or by restarting the server

maximum-membership-updates-per-modify

Description
An integer property that specifies the maximum number of membership changes that will be supported in a single modify operation. A value of zero indicates that modify operations targeting the group entry should not be permitted to alter the set of members for the group.
Default Value
100
Allowed Values
An integer value. Lower limit is 0.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

read-operation-support

Description
The level of support that the server should offer to allow treating search and compare operations targeting inverted static groups as if they were traditional static groups.
Default Value
enabled-without-support-for-retrieving-membership
Allowed Values
disabled - The plugin will not provide any virtual attributes that allow treating inverted static groups as traditional static groups for search and compare operations.

enabled-without-support-for-retrieving-membership - The plugin will generate a virtual membership attribute (either member or uniqueMember, as determined by the value of the traditional-static-group-object-class property) that will make it possible to match equality filter components or compare assertions targeting that attribute with a member DN (for example, if user "uid=jdoe,ou=People,dc=example,dc=com" is a member of an inverted static group, then a filter like "(member=uid=jdoe,ou=People,dc=example,dc=com)" will be considered to match the entry for that group. Note that this will only match for direct members, but not for nested members. However, the virtual attribute provider will not generate values for the membership attribute when the entry is returned. This is beneficial for performance, as it may be somewhat expensive to retrieve the entire set of member DNs for an inverted static group, especially in cases where the group is very large or may contain nested groups. Properly designed clients should not need to retrieve the list of members for the purpose of determining whether a user is a member of the group, although this option may not be suitable for clients that need to retrieve the entire member list. This option will also cause the server to generate a virtual objectClass value that corresponds to the value of the traditional-static-group-object-class property. This will help improve compatibility with clients that include the objectClass attribute in searches attempting to determine whether a user is a member of a given group.

enabled-with-support-for-retrieving-direct-membership - The plugin will generate a virtual membership attribute (either member or uniqueMember, as determined by the value of the traditional-static-group-object-class property) that will make it possible to match equality filter components or compare assertions targeting that attribute with a member DN (for example, if user "uid=jdoe,ou=People,dc=example,dc=com" is a member of an inverted static group, then a filter like "(member=uid=jdoe,ou=People,dc=example,dc=com)" will be considered to match the entry for that group. Note that this will only match for direct members, but not for nested members. That virtual attribute provider will also generate values for the target attribute representing the DNs of the users that are direct members of the group. Nested members will not be included. Note that generating the member list may have a notable performance impact, especially for inverted static groups with a very large number of direct members. This option will also cause the server to generate a virtual objectClass value that corresponds to the value of the traditional-static-group-object-class property. This will help improve compatibility with clients that include the objectClass attribute in searches attempting to determine whether a user is a member of a given group.

enabled-with-support-for-retrieving-nested-membership - The plugin will generate a virtual membership attribute (either member or uniqueMember, as determined by the value of the traditional-static-group-object-class property) that will make it possible to match equality filter components or compare assertions targeting that attribute with a member DN (for example, if user "uid=jdoe,ou=People,dc=example,dc=com" is a member of an inverted static group, then a filter like "(member=uid=jdoe,ou=People,dc=example,dc=com)" will be considered to match the entry for that group. This will match for both direct and nested members. That virtual attribute provider will also generate values for the target attribute representing the DNs of the users that are direct or nested members of the group. Note that generating the member list may have a notable performance impact, especially for inverted static groups with a very large number of direct members, or that have nested groups for which retrieving the member list may be expensive (e.g., dynamic groups that have a very large number of members or that use inefficient criteria for identifying those members). This option will also cause the server to generate a virtual objectClass value that corresponds to the value of the traditional-static-group-object-class property. This will help improve compatibility with clients that include the objectClass attribute in searches attempting to determine whether a user is a member of a given group.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action


Advanced Properties

invoke-for-internal-operations (Advanced Property)

Description
Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operations that can cause the same plug-in to be re-invoked.
Default Value
true
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To list the configured Plugins:

dsconfig list-plugins
     [--property {propertyName}] ...

To view the configuration for an existing Plugin:

dsconfig get-plugin-prop
     --plugin-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Plugin:

dsconfig set-plugin-prop
     --plugin-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new Traditional Static Group Support For Inverted Static Groups Plugin:

dsconfig create-plugin
     --plugin-name {name}
     --type traditional-static-group-support-for-inverted-static-groups
     --set enabled:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Plugin:

dsconfig delete-plugin
     --plugin-name {name}