Use this page to establish an identity object and other object-related search parameters.
Identity Object
The object that the LDAP server uses to log in, in order to perform a query.
In order to perform the search specified, iManager uses a specific identity so that the results are always consistent. The identity object must have authentication credentials so iManager can authenticate as the identity object. The identity object must have a password set.
For example, if you choose to use the dynamic group object itself as the identity object, you need to set a password on the dynamic group. In order for the dynamic member evaluation to work, the object specified as the identity object must be present on the same partition as the dynamic group object. The identity object defaults to [Public] unless another object is specified. [Public] might not have sufficient rights to read and compare attributes.
For example, if you set the Filter to (&(title=manager)), the [Public] identity might not be able to read or compare the title or many other attributes. The Identity object must have sufficient rights to the Base DN level and below to determine dynamic group membership.
Time Out
Populating this field is not mandatory and is best left blank unless you give iManager a reasonable amount of time to load the objects it finds. This setting determines how long to wait to get results from another server during a dynamic groups member search when the search operation spans across servers. The time interval is specified in seconds, and after it is reached, the search terminates. Any members found before the search is terminated are included in the list. The behavior of Allow Unknowns is considered when the membership cannot be determined because of a timeout.
IMPORTANT: If you do not allow enough time for iManager to load and it times out, the object becomes unusable. You must delete the object and start over.
Allow Duplicates
While listing the members of a dynamic group, this specifies whether or not duplicates are listed in the All Members list. Duplicates might occur if an object is found in the search result of the Dynamic Members, as well as the Included Members; but if Allow Duplicates is not selected, the server eliminates the duplicates. By allowing duplicates, the administrator can reduce the load on the server while listing dynamic group members.
Allow Unknowns
This attribute determines the inclusion or exclusion of members in the dynamic group when the membership cannot be correctly determined. For example, if the search specified is not fully done because one of the replicas is not accessible, and Allow Unknowns is selected, the object in question is considered to be a member of the dynamic group. In short, unless the implications of selecting this setting are fully understood, the administrator should always leave it deslelected.
For information about NetIQ trademarks, see http://www.netiq.com/company/legal/.