Geoffrey, The NDS might be working diffrently then eDirectory. Here's how things working for dynamic group
Likely! :)
When a user is added to a group , a attribute say memberof is added to
his/her id as
dn: uid=xxxxxxxxxxxxx
...
memberof: DN of some group
That is a regulkar group... A dynamic groups memberlist, when queried, is generated on the fly via an LDAP search as specified in the dynamic groups search attrib (Whose name I forget).
Anyway, in a dynamic group, user does NOT geta memberof attrib added! At least in eDir.
So since the group membership is dynamically generated every time you query the memberlist attrib (forget its exact name too, sorry, bad with names), just rerun the query?
When that group is deleted here what you can see in the audit logs dn: DN of the group changetype: delete
dn: uid=xxxxxxxxxxxxx changetype: modify delete: memberof memberof: DN of that group.
Now , because of this , when you search for that group, server will return you nothing and also all the users are modified by removing entry that was granting access to that group thanks to the Referential Integrity plugin.
eDir does this automagically in the background. Referntail integrity is nice. :)
Explained this, I understand that you have only one option of going through the logs and gether information about the users who are changed by removing access to the group with memberof attribute.
Let me know something more. -Kunal Mehta Geoffrey Carman <[EMAIL PROTECTED]> wrote in message news:<[EMAIL PROTECTED]>...
kunal wrote:
****Reposting Question****
Hello,
I am using Netscape Directory Server 4.16 and using Dynamic Group for
good resource utilization. I have a question for the situation where
Dynamica Groups
get deleted. Its a long and tedious process to go through the logs and
try to re-assign access to all those users who had access to a
perticular resource before the group got deleted.
I want to understand a good practice to be implemented about the process of retrieving information in the case of Dynamic Group gets deleted.
Well that seems simple... A dynamic group is defined as a groupf of members, who match the search criteria... Why go thru the logs? Do a search, that matches the ggroup search, and bingo, there is your list of users...
Heck, just grab the ACL's that were assigned to the group too... I assume you can restore objects... I use eDirectory as my LDAP dir, but hey, LDAP should be LDAP'y.
