PingDirectory

Creating static groups

Using an LDIF file, you can configure a static group. Static groups contain a membership list of explicit distinguished names (DNs) specified by the uniquemember attribute.

Creating a static group

About this task

To create a static group:

Steps

  1. Open a text editor and create a group entry in LDIF.

    1. Include the groupOfUniquenames object class and uniquemember attributes.

    2. Optional: If you did not have ou=groups set up in your server, add it in the same file.

    3. Save the file.

    Example:

    In the following example, the file is named static-group.ldif.

    This example LDIF file creates two groups: cn=Development and cn=QA.

    dn: ou=groups,dc=example,dc=com
objectclass: top
objectclass: organizationalunit
ou: groups

dn: cn=Development,ou=groups,dc=example,dc=com
objectclass: top
objectclass: groupOfUniqueNames
cn: Development
ou: groups
uniquemember: uid=user.14,ou=People,dc=example,dc=com
uniquemember: uid=user.91,ou=People,dc=example,dc=com
uniquemember: uid=user.180,ou=People,dc=example,dc=com

dn: cn=QA,ou=groups,dc=example,dc=com
objectclass: top
objectclass: groupOfUniqueNames
cn: QA
ou: groups
uniquemember: uid=user.0,ou=People,dc=example,dc=com
uniquemember: uid=user.1,ou=People,dc=example,dc=com
uniquemember: uid=user.2,ou=People,dc=example,dc=com

  2. To add the group entries to the server, use the ldapmodify tool.

    Example:

    $ bin/ldapmodify --defaultAdd --filename static-group.ldif

  3. To verify the configuration, use the virtual attribute isDirectMemberOf that checks membership for a non-nested group.

    The virtual attribute is disabled by default, but you can enable it using dsconfig.

    Example:

    $ bin/dsconfig set-virtual-attribute-prop --name isDirectMemberOf --set enabled:true

  4. To determine if a user is a member of a certain group, use ldapsearch to search the isDirectMemberOf virtual attribute.

    Example:

    This example inquires if uid=user.14 is a member of the cn=Development group.

    This example assumes that the administrator has the privilege to view operational attributes.

    $ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.14)" isDirectMemberOf

    Result:

    dn: uid=user.14,ou=People,dc=example,dc=com
isDirectMemberOf: cn=Development,ou=groups,dc=example,dc=com

  5. Use the group as a target in access control instructions (ACI).

    1. Open a text editor and create an aci attribute in an LDIF file.

    2. Save the file.

    3. To add the file, use the ldapmodify tool.

    Example:

    In this example, the file is named dev-group-aci.ldif.

    dn: ou=People,dc=example,dc=com
changetype: modify
add: aci
aci: (target ="ldap:///ou=People,dc=example,dc=com")
  (targetattr != "cn || sn || uid")
  (targetfilter ="(ou=Development)")
  (version 3.0; acl "Dev Group Permissions";
    allow (write) (groupdn = "ldap:///cn=Development,ou=groups,dc=example,dc=com");)

    You can create a similar ACI for the QA group, which is not shown in the previous example, but is shown in the example for step 1.

  6. To add the file, use the ldapmodify tool.

    Example:

    $ bin/ldapmodify --filename dev-group-aci.ldif

Adding a new member to a static group

Steps

  • To add a new member to the group, add a new value for the uniquemember attribute that specifies the DN of the new user.

    Example:

    This example adds a new uniquemember: user.4.

    dn: cn=QA,ou=Groups,dc=example,dc=com
changetype: modify
add: uniquemember
uniquemember: uid=user.4,ou=People,dc=example,dc=com

Removing a member from a static group

Steps

  • To remove a member from a static group, remove that user’s DN from the uniquemember attribute.

    Example:

    This example removes the DN of user.1.

    dn: cn=QA,ou=Groups,dc=example,dc=com
changetype: modify
delete: uniquemember
uniquemember: uid=user.1,ou=People,dc=example,dc=com