PingDirectory

Creating static groups

Using an LDIF file, you can configure a static group. Static groups contain a membership list of explicit distinguished names (DNs) specified by the uniquemember attribute.

Creating a static group

About this task

To create a static group:

Steps

  1. Open a text editor and create a group entry in LDIF.

    1. Include the groupOfUniquenames object class and uniquemember attributes.

    2. Optional: If you did not have ou=groups set up in your server, add it in the same file.

    3. Save the file.

    Example:

    In the following example, the file is named static-group.ldif.

    This example LDIF file creates two groups: cn=Development and cn=QA.

    dn: ou=groups,dc=example,dc=com
    objectclass: top
    objectclass: organizationalunit
    ou: groups
    
    dn: cn=Development,ou=groups,dc=example,dc=com
    objectclass: top
    objectclass: groupOfUniqueNames
    cn: Development
    ou: groups
    uniquemember: uid=user.14,ou=People,dc=example,dc=com
    uniquemember: uid=user.91,ou=People,dc=example,dc=com
    uniquemember: uid=user.180,ou=People,dc=example,dc=com
    
    dn: cn=QA,ou=groups,dc=example,dc=com
    objectclass: top
    objectclass: groupOfUniqueNames
    cn: QA
    ou: groups
    uniquemember: uid=user.0,ou=People,dc=example,dc=com
    uniquemember: uid=user.1,ou=People,dc=example,dc=com
    uniquemember: uid=user.2,ou=People,dc=example,dc=com
  2. To add the group entries to the server, use the ldapmodify tool.

    Example:

    $ bin/ldapmodify --defaultAdd --filename static-group.ldif
  3. To verify the configuration, use the virtual attribute isDirectMemberOf that checks membership for a non-nested group.

    The virtual attribute is disabled by default, but you can enable it using dsconfig.

    Example:

    $ bin/dsconfig set-virtual-attribute-prop --name isDirectMemberOf --set enabled:true
  4. To determine if a user is a member of a certain group, use ldapsearch to search the isDirectMemberOf virtual attribute.

    Example:

    This example inquires if uid=user.14 is a member of the cn=Development group.

    This example assumes that the administrator has the privilege to view operational attributes.

    $ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.14)" isDirectMemberOf

    Result:

    dn: uid=user.14,ou=People,dc=example,dc=com
    isDirectMemberOf: cn=Development,ou=groups,dc=example,dc=com
  5. Use the group as a target in access control instructions (ACI).

    1. Open a text editor and create an aci attribute in an LDIF file.

    2. Save the file.

    3. To add the file, use the ldapmodify tool.

    Example:

    In this example, the file is named dev-group-aci.ldif.

    dn: ou=People,dc=example,dc=com
    changetype: modify
    add: aci
    aci: (target ="ldap:///ou=People,dc=example,dc=com")
      (targetattr != "cn || sn || uid")
      (targetfilter ="(ou=Development)")
      (version 3.0; acl "Dev Group Permissions";
        allow (write) (groupdn = "ldap:///cn=Development,ou=groups,dc=example,dc=com");)

    You can create a similar ACI for the QA group, which is not shown in the previous example, but is shown in the example for step 1.

  6. To add the file, use the ldapmodify tool.

    Example:

    $ bin/ldapmodify --filename dev-group-aci.ldif

Adding a new member to a static group

Steps

  • To add a new member to the group, add a new value for the uniquemember attribute that specifies the DN of the new user.

    Example:

    This example adds a new uniquemember: user.4.

    dn: cn=QA,ou=Groups,dc=example,dc=com
    changetype: modify
    add: uniquemember
    uniquemember: uid=user.4,ou=People,dc=example,dc=com

Removing a member from a static group

Steps

  • To remove a member from a static group, remove that user’s DN from the uniquemember attribute.

    Example:

    This example removes the DN of user.1.

    dn: cn=QA,ou=Groups,dc=example,dc=com
    changetype: modify
    delete: uniquemember
    uniquemember: uid=user.1,ou=People,dc=example,dc=com