Using Non-Micro Focus Group Objects with LDAP-based Security

LDAP-based security for Enterprise Server through the MLDAP ESM Module now supports additional options for configuring user groups. User groups are typically used to assign access permissions for resources controlled by Enterprise Server.

In Enterprise Server 3.0 Patch Update 9, Enterprise Server 4.0 Patch Update 1, and later, administrators can configure the MLDAP ESM Module to obtain group information from the LDAP server in one of four ways:

Micro Focus groups

This is the original mechanism described above, with microfocus-MFDS-Group objects specifying members as user IDs in the microfocus-MFDS-Group-Member attribute.

Active Directory groups

When this option is selected, group membership is determined by using objects of the LDAP group class and its member attribute. Members are specified as LDAP Distinguished Names (DNs) of user objects. This is how Microsoft represents Windows user groups in Active Directory, so this mode enables the use of Windows domain groups for enterprise server security.

Custom groups

In this mode, an arbitrary LDAP class name and membership attribute name can be configured. Group members can be any combination of user ID, group name with the "group" prefix or suffix, and user or group Distinguished Name (DN). This is similar to the Micro Focus groups mode, except the class and attribute name can be configured and members can be identified by its DN.

Note: Since DNs are unambiguous, DN group members (for nested groups) do not use the "group" prefix or suffix.

Combined mode

This tells the MLDAP ESM Module to look for both AD groups and custom groups. This enables you to use existing AD groups in conjunction with Windows users, while also adding some groups solely for Enterprise Server.