|
1. Static Group utility.
1.1. Why Static group instead of Dynamic group.
1.2. The program
1.2.1. Exclude users
1.2.2. Include users
1.2.3. Options add/sync
1.3. Query attribute.
1.4. Limitations
2. Commandline version
3. Mappings
4. Version list
1. Static Group utility.
In contrast with dynamic group is static group (or pseudo dynamic) not a function of eDirectory. Static
group is a utility that can update the memberlist of a non-dynamic (workstation)group based on query
like the query in a dynamic group. In static group the memberlist is not automatically updated, for
updating the windows of commandline version of the program must be run.
This version of the utility is Novell Client based and not LDAP. The query entered is translated to a
eDirectory query. The main limitation is that there is no support for extended matching rules.
1.1. Why Static group instead of Dynamic group.
Dynamic group is always up to date, but the main difference is that the "group membership" attribute
and "security equals " isn't updated with dynamic group. This utility will update these attributes, so the
group can be used for filesystem access or zen application opbjects.
1.2. The program  For future compatibility with the ldap version of the program, the attribute names in the filter have to be
the ldap names. See also mapping options.
After selecting a group (a user or workstation group) (button on the right of the group box) the program
reads the member attribute and the attribute used for the ldap query information (default the attribute
L, but that can be changed).
On the browser window for the group, it is possible to add an new group by selecting the green Add button. After entering/updating the ldap query, it is possible to execute the query. Depending on the settings "add Excludes" and "add Includes" and the options "add/sync" the program shows the result in the
member window. If everything is ok, then the result can be saved by selecting the Update Group
button.
1.2.1. Exclude users
The program can apply an exclude list to prevent the adding of certain uers (or workstations).
On selecting the option "add exlude" and the program shows the exclude tab. On that tab it is possible to add and remove the exclude members. The program stores the exclution list in the attribute "See Also". If this is a problem please change the attribute name in the section [SYSTEM] of the staticgroup.ini file.
1.2.2. Include users
The program can apply an include list to always add of certain uers (or workstations).
On selecting the option "add inlude" and the program shows the include tab. On that tab it is possible to add and remove the include members. The program stores the exclution list in the attribute "Owner".
If this is a problem please change the attribute name in the section [SYSTEM] of the staticgroup.ini file.
1.2.3. Options add/sync
Add: the result of the query is added to the already existing members of the group. All new members
will be green. Unchanged members are black.
Sync: the result of the query will replace the current memberlist of the group. The program will show
the members that will be deleted (red and striketrough) and the new members (green). The unchanged members are black.
Include members are shown blue, and exclude members are shown blue and strikethrough.
1.3. Query attribute.
On the settings page it is possible to select an attribute for the storage of the "ldap query" string. The commandline version of the program (sg.exe) will read this attribute and uses it for updating the groups without asking.
1.4. Limitations
- The program only supports simple attribute names.
- no support for: extensible items
- no support for binary attributes
- Only string and "integer" attributes are supported. (includes distinguished names and counter )
- No check for valid combinations of attribute and filtertype.
- There is a problem in the filter-parser if you forget a "(" or ")"!!!!!
The program supports:
& and, | or, ! not, present (=*) , =, <=, >= , ~= Warning
Use the attribute names mst be LDAP names, not eDirectory names. E.g. use "givenname" and not "Given Name".
Make sure to put the correct object (types) into the query. So for user groups use (objectclass=User) and for workstation groups use (objectclass=workstations).
2. Commandline version
There is also an commandline version of staticgroup (sg.exe). The install will update the path system
variable, so the program can be used from any location on the workstation.
There are two commandline methodes: - sg groupname [options] (this must be the full name of the group) e.g. SG "Users applications.Applications.APP_W2000.ZEN.WB" do not add an leading dot.
- sg @filename [options] The text-file must contain a groupname on every line. Empty lines not permitted.
There are a few commanline options: | /v | verbose, the program writes all the updates it does to the group on the screen | | /sq | show query. This will show the executed query on the screen | | /t | This will turn on the verbose mode and will simulate the query update, no information will be changed. | | /tree=<treename> | The program will use the given tree instead of the primary tree. Must already be authenticated in the given tree! | | /pt | will change the primary tree of the client! (only in combination with /tree) (in most cases this isn't needed!) | commandline version can be scheduled, so the groups will be updated regulary.
3. Mappings
The program uses the following methode for mapping the ldap attribute names to the ndap attribute names:
At startup the program read the schema attributes from the eDirectory. The is "translate all the attribute names by removing all space, and columns (:) and force everything to be lowercase. Then it will read the file mappings.dat (in the program directoy) and add these at the top of the list, so the program will first search this list before it searches the "translated" attribute names. In the mappings.dat file (just a text file) the left column is the ldap name and the right column (after the =) is
the eDirectory name. This list can be updated or edited if needed (please use a text-editor like notepad or so).
4.version list | 1.00 | first public version of the program | | 1.01 | fix for attribute names and multi query support | | 1.02 | added /tree and /pt to SG.exe and new select tree routine for StaticGroup.exe | | | added missing error warning if a “(“ or “)” is missing. (the query was not executed, and no error was given) (sg and staticgroup) | | | fixed the /sq option, code was broken in version 1.01 due to the multiquery option. | | 1.03 | fixed the filter evaluator. There was a problem with nested and's and or's. | | | (&(objectclass=user)(|(cn=a*)(cn=b*))) didn't the correct evaluate, now it works correct. |
5. New features to come
- full ldap version (for windows and dos tool)
- futher optimalization of group update
|
