Using Non-Micro Focus Group Objects with LDAP-based Security

LDAP-based security for Enterprise Server through the MLDAP ESM Module now supports additional options for configuring user groups. User groups are typically used to assign access permissions for resources controlled by Enterprise Server.

In earlier releases of Enterprise Server, user groups used the microfocus-MFDS-Group LDAP object class. Group members were specified using microfocus-MFDS-Group-Member, a multi-valued attribute, where each value is an enterprise server user ID.
Note: A user ID is typically the LDAP Common Name, or CN, of a user object, though a different attribute can be configured for the user ID.
Members could also be group names, specified as X group or group X, to indicate nested groups.

In Enterprise Server 3.0 Patch Update 9, Enterprise Server 4.0 Patch Update 1, and later, administrators can configure the MLDAP ESM Module to obtain group information from the LDAP server in one of four ways:

Micro Focus groups
This is the original mechanism described above, with microfocus-MFDS-Group objects specifying members as user IDs in the microfocus-MFDS-Group-Member attribute.
Active Directory groups
When this option is selected, group membership is determined by using objects of the LDAP group class and its member attribute. Members are specified as LDAP Distinguished Names (DNs) of user objects. This is how Microsoft represents Windows user groups in Active Directory, so this mode enables the use of Windows domain groups for enterprise server security.
Custom groups
In this mode, an arbitrary LDAP class name and membership attribute name can be configured. Group members can be any combination of user ID, group name with the "group" prefix or suffix, and user or group Distinguished Name (DN). This is similar to the Micro Focus groups mode, except the class and attribute name can be configured and members can be identified by its DN.
Note: Since DNs are unambiguous, DN group members (for nested groups) do not use the "group" prefix or suffix.
Combined mode
This tells the MLDAP ESM Module to look for both AD groups and custom groups. This enables you to use existing AD groups in conjunction with Windows users, while also adding some groups solely for Enterprise Server.