Chapter 5.
111
Managing Entries with Roles, Classes
of Service, and Views
Entries contained within the directory can be grouped in different ways to simplify the management
of user accounts. Red Hat Directory Server supports a variety of methods for grouping entries and
sharing attributes between entries. To take full advantage of the features offered by roles and class of
service, determine the directory topology when planning the directory deployment.
5.1. Using Roles
Roles are a new entry grouping mechanism that unify the static and dynamic groups described in
the previous sections. Roles are designed to be more efficient and easier to use for applications. For
example, an application can get the list of roles of which an entry is a member by querying the entry
itself, rather than selecting a group and browsing the members list of several groups.
This section contains the following topics:
•
Section 5.1.1, “About Roles”
•
Section 5.1.2, “Managing Roles Using the Console”
•
Section 5.1.3, “Managing Roles Using the Command-Line”
•
Section 5.1.4, “Using Roles Securely”
5.1.1. About Roles
Roles unify the static and dynamic group concept supported by previous versions of Directory Server.
Roles can be used to organize users in number of different ways:
• To enumerate the members of a role.
Having an enumerated list of role members can be useful for resolving queries for role members
quickly.
• To determine whether a given entry possesses a particular role.
Knowing the roles possessed by an entry can help determine whether the entry possesses the
target role.
• To enumerate all the roles possessed by a given entry.
• To assign a particular role to a given entry.
• To remove a particular role from a given entry.
Managed roles can do everything that can normally be done with static groups. The role members can
be filtered using filtered roles, similarly to the filtering with dynamic groups. Roles are easier to use
than groups, more flexible in their implementation, and reduce client complexity.
However, evaluating roles is more resource-intensive because the server does the work for the client
application. With roles, the client application can check role membership by searching the
nsRole
Содержание DIRECTORY SERVER 8.0
Страница 18: ...xviii ...
Страница 29: ...Configuring the Directory Manager 11 6 Enter the new password and confirm it 7 Click Save ...
Страница 30: ...12 ...
Страница 112: ...94 ...
Страница 128: ...110 ...
Страница 190: ...Chapter 6 Managing Access Control 172 4 Click New to open the Access Control Editor ...
Страница 224: ...206 ...
Страница 324: ...306 ...
Страница 334: ...316 ...
Страница 358: ...340 ...
Страница 410: ...392 ...
Страница 420: ...402 ...
Страница 444: ...426 ...
Страница 454: ...436 ...
Страница 464: ...446 ...
Страница 484: ...466 ...
Страница 512: ...494 ...
Страница 522: ...504 ...