PingDirectory

Creating dynamic groups

Configure a dynamic group in the same manner as static groups using an LDIF file.

About this task

Dynamic groups contain a membership list of attributes determined by search filter using an LDAP URL. You must use the groupOfURLs object class and the memberURL attribute.

Steps

  1. Use ldapsearch to verify that uid=user.15 is not part of any group.

    1. Assume that uid=user.15 is not part of any group.

      You add the user to the dynamic group in a later step.

      Result:

      dn: uid=user.15,ou=People,dc=example,dc=com

    2. Assume for this example that uid=user.0 has an ou=Engineering attribute indicating that he or she is a member of the engineering department.

      Example:

      $ bin/ldapsearch --baseDN dc=example,dc=com --searchScope sub "(uid=user.0)" ou isMemberOf

      Result:

      dn: uid=user.0,ou=People,dc=example,dc=com
ou: Engineering

    Example:

    $ bin/ldapsearch --baseDN dc=example,dc=com --searchScope sub "(uid=user.15)" ou

  2. Open a text editor, and then create a dynamic group entry in LDIF. Save the file as add-dynamic-group.ldif.

    The LDIF defines the dynamic group to include all users who have the ou=Engineering attribute.

    Example:

    dn: cn=eng-staff,ou=groups,dc=example,dc=com
objectclass: top
objectclass: groupOfURLs
ou: groups
cn: eng-staff
memberURL: ldap:///ou=People,dc=example,dc=com??sub?(ou=Engineering)

  3. Use ldapmodify to add the group entry to the server.

    Example:

    $ bin/ldapmodify --defaultAdd --filename add-dynamic-group.ldif

  4. Use ldapsearch to specifically search the isMemberOf virtual attribute to determine if uid=user.0 is a member of the cn=Engineering group or any other group.

    Example:

    $ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.0)" isMemberOf

    Result:

    dn: uid=user.0,ou=People,dc=example,dc=com
isMemberOf: cn=eng-staff,ou=groups,dc=example,dc=com

  5. Run the following command to return the DNs of entries that are part of the cn=eng-staff dynamic group and sort them in ascending order by the sn attribute.

    If your data is relatively small (under 1 million entries), you can search for all users in the group that meet the search criteria (ou=Engineering). For larger databases, it is not practical to run a database-wide search for all users as there can be a performance hit on the PingDirectory server.

    Example:

    $ bin/ldapsearch --baseDN dc=example,dc=com --sortOrder sn \
  "(isMemberOf=cn=eng-staff,ou=groups,dc=example,dc=com)" dn

  6. Add uid=user.15 to the eng-staff group by adding an ou=Engineering attribute to the entry.

    This step highlights an advantage of dynamic groups: you can make a change in an entry without explicitly adding the DN to the group as you would with static groups. The entry is automatically added to the eng-staff dynamic group.

    Example:

    $ bin/ldapmodify
dn: uid=user.15,ou=People,dc=example,dc=com
changetype: modify
add: ou
ou: Engineering

  7. Use ldapsearch to check if the user is part of the cn=eng-staff dynamic group.

    Example:

    $ bin/ldapsearch --baseDN dc=example,dc=com --searchScope sub "(uid=user.15)" isMemberOf

    Result:

    dn: uid=user.15,ou=People,dc=example,dc=com
isMemberOf: cn=eng-staff,ou=groups,dc=example,dc=com