Effective Attributes

It is common for a user object to inherit attributes from either container or group objects. Such attributes are called "effective" because an object gains the attributes from reading other objects associated with the original objects. Effective attributes are resolved by one of two algorithms, additive and exclusive.

By default, effective attributes use the exclusive algorithm, which means that the first attribute that is found, becomes the effective attribute. An example of such an attribute is np-remote-access.

Attributes like the np-view-domain are additive, which means that the effective attribute value is a union of all the values of all the objects evaluated. For example, you can have one np-view-domain value on one object and a different value on a related object. The value of the effective attribute then becomes the values from both objects.

note icon If both groups and containers are used to resolve effective attributes, containers are resolved first, then groups.

Using Groups

When a user belongs to groups that belong to other groups, it is common to assign a value to one of the groups and expect all the members of the group to inherit the attribute. If a member is a group, then its members also inherit the attribute, and this process continues recursively until all the members are user objects.

Resolving effective attributes with groups is done as follows:

  1. Starting with the object identified as the GroupRoot, the LDAP Service recursively traverses down through all the members and builds a table. This table allows the LDAP Service to work back from a user object to find all the groups to which it belongs. The table also minimizes the required number of LDAP search requests.
  2. To resolve effective attributes, the LDAP Service uses the table and works backward from the user object to the GroupRoot. For each item in the table, the LDAP Service reads and merges the attributes as necessary.

Using Containers

Effective attributes can also be implemented through containers. For example, consider the user object uid=jdoe,ou=my organization,o=mycompany.com. If effective attributes were stored on the object "ou=my organization,o=mycompany.com" or the object o=mycompany.com, then user jdoe should inherit them.

Resolving effective attributes with containers is done as follows:

  1. Starting with the user object, the LDAP Service reads and merges the attributes (if necessary), and stores them in memory.
  2. Then, the container is read, merged, and stored like the user object.
  3. The LDAP Service repeats this process recursively until the container is the root of the tree.

Copyright © 2006-2023, Rocket Software, Inc. All rights reserved.