Directory Services Group Schemas

To retrieve the correct group information when you create queries, you must follow the directory services group schema that your organization has implemented (according to its business or network infrastructure needs). This is an overview of the two most common schemas, illustrating group layout.

Note
If you use Lotus Domino, and your organization follows the Groups by Membership schema, choose the Lotus Domino sample profile on the Server type page of the Directory Services wizard (Configuration > System > Directory Services > Add). If you use Lotus Domino, and your organization follows the Groups by Organizational Unit schema, choose the Lotus (Groups by OU) sample profile.

Groups by Membership

This schema defines group membership by entries within user records. This schema is very common; it is often used in Active Directory and other common directory service deployments, such as Novell eDirectory. (However, the specific attributes and exact structure of your schema may be different from this example.)

The following is an example of an Active Directory deployment schema.

  • o=Acme
    • ou=Users
      • cn=Bob_Bobson
      • cn=Jane_Johnson
      • cn=Tim_Thompson
        • memberOf=cn=Testers,ou=Groups,o=Acme
        • memberOf=cn=Developers,ou=Groups,o=Acme
        • mail=tim.thompson@example.com
      • cn=Dodd_Dobson
        • memberOf=cn=Testers,ou=Groups,o=Acme
        • mail=dodd.dobson@example.com
    • ou=Groups
      • cn=Managers
      • cn=Developers
        • cn=Tim_Thompson,ou=Users,o=Acme
      • cn=Testers
        • member=cn=Tim_Thompson,ou=Users,o=Acme
        • member=cn=Dodd_Dobson,ou=Users,o=Acme

In this schema, membership is primarily defined by entries in user records. (For example, the memberOf attribute contains the Distinguished Names (DN) of the groups to which a user belongs). In Active Directory, a group's records also contain cross-references to its members .For example, each member attribute in a group record contains the DN of a user who is a member of the group.

Note
Not all schemas have two-way references. Using memberOf attributes in user records is sufficient to correctly define group membership.

To retrieve the records of all members of a group, the Email Appliance begins queries at the root of the directory tree (in this case, by setting the base DN to o=Acme). For example, a query that retrieves the email addresses of members of the Testers group would retrieve the values of the mail attribute of every user who has a memberOf attribute with the following value: dn=cn=Testers,ou=Groups,o=Acme. The returned list of email addresses can be used to apply group policies on the Configuration > Accounts > User Groups page.

Groups by Organizational Unit

This schema defines group membership by a user's location within the directory tree. This schema is less common. (However, it is occasionally used in Lotus Domino and other customizable directory service deployments.)

The following is an example of a Lotus Domino deployment schema.

  • o=Acme
    • ou=Europe
    • ou=North America
      • ou=Toronto
        • cn=Testers
          • cn=Tim_Thompson
            • mail=tim.thompson@example.com
      • ou=Vancouver
        • cn=Managers
          • cn=Bob_Bobson
            • mail=bob.bobson@example.com
        • cn=Developers
          • cn=Jane_Johnson
            • mail=jane.johnson@example.com
        • cn=Testers
          • cn=Dodd_Dobson
            • mail=dodd.dobson@example.com

In this schema, users are categorized by Organizational Units (OUs), corresponding to regional domains, that is, company branches and cities; user records are located within more specific OUs. The nested OUs, in turn, contain multiple levels of CNs, corresponding to groups of users and individual users. Each CN corresponding to a user should have an attribute that indicates his email address; this is typically the mail attribute.

In this schema, the Email Appliance must begin its queries at the location of the OU/group itself, since it is impossible to retrieve only the users within that OU/group using a query with a base DN set to the root of the directory. (In this schema, there are no cross-reference attributes such as memberOf.) Thus, the base DN must be set to the DN of the group, and the members of the OU/group must be all located within the group.

For example, a query that requests the email address attribute of every user who is a member of the North America group would have the base DN ou=North America,o=Acme, and it would retrieve the email addresses of all users within it (Tim, Bob, Jane and Dodd). However, a query that requests the email addresses of every user in the Toronto Testers group would have the base DN cn=Testers,ou=Toronto,ou=North America,o=Acme, and it would retrieve the email addresses of all users within it (in this case, only Tim Thompson's email address).

Note
In this schema users will only be members of their OU/group and any parents of that OU/group. For example, Dodd Dobson is a member of the Vancouver Testers group; he is also implicitly a member of the Vancouver and North America groups.

Similarly to the groups-by-membership schema, the returned list of email addresses can be used to apply group policies on the Configuration > Accounts > User Groups page.