The Special Attributes Handling options allow you to perform the following functions:

• Configure Attribute Uniqueness
• Configure the automatic relationship management between linked attributes
• Configure Referential Integrity
• Configure Dynamic Groups (only applicable to groups that are associated with groupOfURLs object class)

Attribute Uniqueness enforcement is applicable to RadiantOne Directory stores only.

Certain attribute values (e.g. uid) should be unique across a given container or Directory Information Tree (DIT). The server stops any operation that tries to add an entry that contains an existing value for the given attribute. It also stops any operation that adds or modifies the attribute to a value that already exists in the directory.

Attribute uniqueness is not enabled by default. To define which attributes require unique values, follow the steps below.

1. From the Control Panel > Manage > Directory Namespace > Namespace Design, select the RadiantOne Directory below Root Naming Contexts.

2. On the right, click the SPECIAL ATTRIBUTES tab and locate the Attribute Uniqueness section.

3. In the Attribute Uniqueness section, click +ATTRIBUTE UNIQUENESS.

4. Click +NEW and select the Base DN for which attribute uniqueness should be enforced. All entries below this point require unique values for the attributes indicated in step 6 below.

5. Click SELECT.

6. Enter a list of attribute names that should contain unique values. Press the "Enter" key on the keyboard after each attribute name. In the example shown in the screen below, the attributes uid and mail must be unique across all entries located below o=RadiantOne Directory.

   

7. Click SAVE.

Repeat these steps to configure attribute uniqueness checking for additional containers/branches.

The Linked Attributes setting is only compatible with entries located in RadiantOne Directory stores or persistent cache.

Linked attributes are attributes that allow relationships between objects. A typical example would be isMemberOf/uniqueMember for user/groups objects. A group has members (uniqueMember attribute) which is the forward link relationship. Those members have an isMemberOf attribute which is the back link (to the group entry) relationship. Other examples of linked attributes are:

manager/directReports
altRecipient/altRecipientBL
dLMemRejectPerms/dLMemRejectPermsBL
dLMemSubmitPerms/dLMemSubmitPermsBL
msExchArchiveDatabaseLink/msExchArchiveDatabaseLinkBL
msExchDelegateListLink/msExchDelegateListBL
publicDelegates/publicDelegatesBL
owner/ownerBL

The most common back link/forward link relationship is between group and user objects. A list of groups a user is a member of can be automatically calculated by RadiantOne and returned in the membership attribute of the user entry. The default attribute name for the back link attribute is isMemberOf. However, you can configure any attribute name (e.g. memberOf) you want.

The back link attribute is returned only when explicitly requested by a client unless the back link location and forward link location are stored in a RadiantOne Directory store or Persistent Cache and the Optimize Linked Attribute option is enabled, in which case the back link attribute is always returned even when not requested (unless Hide Operational Attributes is enabled). Also, if the groups returned in the backlink attribute (isMemberOf/memberOf) can be members of other groups (nested groups) and you want to un-nest/flatten these groups (return all the groups in isMemberOf/memberOf), you must toggle on the Enable Nested Groups option on the Control Panel > Manage > Security > Access Control > General tab. Users can also be members of dynamic groups (indicated in the criteria of the memberURL attribute of the group entry).

To configure rules for linked attributes, following the steps below:

1. On the Control Panel > Setup > Directory Namespace > Namespace Design, select the RadiantOne Directory below the Root Naming Contexts.

2. On the right, click the SPECIAL ATTRIBUTES tab and locate the Linked Attributes section (expand it if it is collapsed).

3. Click +LINKED ATTRIBUTES.

4. Select a back link attribute name from the drop-down list. If you don’t find the attribute that matches your needs, manually enter the attribute name. This dictates which attribute name RadiantOne returns the back link attribute value as and is generally either memberOf or isMemberOf (for group/user linked attributes).

5. Click SELECT next to the Target Base DN field. The Select base DN window is displayed.

6. Choose a base DN containing the entries (e.g. users) for which the back link attributes should be managed. In the example below, o=companydirectory is selected.

   Warning

   When your users and groups are in RadiantOne Directory stores, and you plan on enabling the Optimize Linked Attribute setting and must support nested groups, only one user location per RadiantOne Directory store is supported. For example, having a user location configured for ou=Accounting,o=companydirectory and ou=Sales,o=companydirectory (both in the same o=companydirectory store) is not supported. In this case, you should configure a single user location as o=companydirectory as a shared parent for both user containers.

   

7. Click SELECT.

8. Under Source Base DNs, click SELECT. The Select base DN windows is displayed.

9. Select a base DN containing the entries (e.g. groups) applicable for the objects (containing the forward link) matching what was defined in step 5 above and click SELECT.

10. In the source object class list, verify the list includes the class associated with your entries (e.g. groups). Add any missing object classes.

11. If the Source Base DNs location is for group objects, and the groups can be nested (contain members that are groups), check the option to Enable Nested Relationships.

12. Click ADD. The configuration is displayed in the Linked Attributes section.

13. Click SAVE.

To test your results, you can use the Control Panel > Manage > Directory Browser. Click +SEARCH. Enter a name to save the search (e.g. LinkedAttributes). Enter or select your DN containing users. Choose Subtree as the scope from the drop-down list. You can enter a filter to look for a specific user (using the freeform/manual mode, or click +NEW CONDITION). In the Return Attributes field enter isMemberOf (assuming this is the back link attribute name configured for returning the groups). Click SAVE and then TEST QUERY.

The user in your filter should be returned. Select this entry and the attributes should display. The back link attribute (e.g. isMemberOf) should indicate the groups the use is a member of.

Referential integrity is the process of automatically maintaining consistent relationships among certain entries. This mechanism ensures that any references to an entry are updated whenever that entry is removed or altered. If it is configured, during every LDAP add, modify, delete, and rename operation, RadiantOne updates all necessary DN references (all other entries that refer to that entry). For example, if you remove a user's entry from the directory, and the user is a member of a group, the server also removes the user from the group. If referential integrity is not enabled, the user remains a member of the group until manually removed. Historically, referential integrity is primarily used to ensure that attributes with a distinguished name syntax (especially group membership attributes like member and uniqueMember) are properly maintained in the event of delete or modify DN operations. For a delete operation, any references to the target entry are removed. For modify DN operations, any references to the target entry are renamed accordingly.

Referential integrity is not enabled by default. To enable and configure it, follow the steps below.

1. On the Control Panel > Setup > Directory Namespace > Namespace Design, select the RadiantOne Directory below the Root Naming Contexts.

2. On the right, click the SPECIAL ATTRIBUTES tab and locate the Referential Integrity section (expand it if it is collapsed).

3. Click +REFERENTIAL INTEGRITY.

4. In the Users Location section, select or enter the Base DN location containing the possible members associated with the groups you define in the next step. The users must be located somewhere at or below the root naming context where you are configuring this setting. If a user is moved or deleted from this location, all groups referencing this user entry are updated accordingly (the value is updated or deleted). Click SELECT.

5. Click +NEW in the Groups Location.

6. Enter or browse to the Groups Location.

7. Click the inline with the groups location. Add more groups locations if needed.

8. Select if the applicable referential integrity rule should be Enabled or Disabled.

   • Disabled: Referential integrity is not enforced for the specified Base DN.
   • Enabled: Referential integrity applies to the member, uniquemember and manager attributes by default. Add any attribute that is of type DN syntax as needed. Enter the attribue name and press "Enter" on the keyboard for each value. Some examples are: owner and managedBy.

9. Enter attributes to maintain referential integrity for. Enter the attribute name and press "Enter" on the keyboard after each value.

10. If referential integrity is enabled, and you want RadiantOne to ensure any values entered for member/uniquemember, or attribute in this list, references a valid DN in the Directory Information Tree (DIT), check the “Validate User Exists in DIT” checkbox. If this option is selected, and a value does not reference a valid Distinguished Name (DN) that is part of the current DIT, the modify operation will fail. Error code 19 will be returned indicating a referential integrity violation.

11. Click ADD.

12. Click SAVE.

For dynamic groups, the membership is determined by search criteria using an LDAP URL as opposed to being maintained explicitly in a list. For example, suppose that you want a Sales group to contain every employee that has a title of Sales Manager. To do this, you create a dynamic group named Sales associated with the groupOfURLs objectclass. Then, instead of explicitly assigning member DNs as unique members (in the member or uniqueMember attribute), you define a memberURL attribute that contains the LDAP URL and criteria (seach base, scope and filter) to be used for determining members of the group.

Dynamic groups are not enabled by default. Therefore, any groups in RadiantOne associated with the groupOfURLs objectclass will have their memberURL returned directly to clients as is.

To enable support for automatically translating dynamic groups into static groups, follow the steps below.

1. On the Control Panel > Setup > Directory Namespace > Namespace Design, select the RadiantOne Directory below the Root Naming Contexts.

2. On the right, click the SPECIAL ATTRIBUTES tab and locate the Dynamic Groups section (expand it if it is collapsed).

3. Select either member or uniquemember from the Member Attribute drop-down list. This will determine the attribute name that will contain the members of the dynamic groups.

4. Click +DYNAMIC GROUP.

5. Click browse and select either a specific dynamic group or the container where all dynamic groups are located and then click ADD. Below is an example of a dynamic group indicating a memberURL of: ldap:///ou=Accounting,o=RadiantOne Directory??sub?(&(objectclass=*)(l=San Mateo)) and how this would be configured respectively. The Dynamic Group Configuration is shown below.

6. The option to "Store explicit members in cache" is not applicable for RadiantOne Directory stores. So this option can be ignored.

7. Repeat steps 4 and 5 to add all dynamic groups.

8. Click SAVE.

For groups defined in this section, RadiantOne automatically evaluates and computes the list of members based on the memberURL attribute indicated in the group. The group named “Dynamic” configured above would be returned by RadiantOne as a virtual static group like shown below (with the member list computed automatically based on the criteria indicated in the memberURL attribute).