PingDirectory

Migrating static groups to virtual static groups

About this task

In many cases, using virtual static groups in place of static groups can produce marked performance gains without having to update client applications. Migrating to virtual static groups varies depending on the original directory information tree (DIT), but the general approach involves identifying common membership traits for all members of each group and then expressing those traits in the form of an LDAP URL.

For this task, consider the following:

  • The common membership trait for all members of the All Users group is the parent distinguish name (DN) ou=People,dc=example,dc=com.

  • In other cases, a common attribute might need to be used. For example, groups based on the location of its members could use the l location or st state attribute.

  • The common case of an All Users group, which contains all entries under the parent DN ou=People,dc=example,dc=com.

  • When implemented as a virtual static group, this group can have a large membership set without incurring the overhead of a static group.

To migrate Oracle Directory Server Enterprise Edition static groups to virtual static groups:

Steps

  1. Create a dynamic group.

    Example:

    dn: cn=Dynamic All Users,ou=Groups,dc=example,dc=com
    objectClass: top
    objectClass: groupOfURLs
    cn: Dynamic All Users
    memberURL: ldap:///ou=People,dc=example,dc=com??sub?(objectClass=person)
  2. Create a virtual static group that references the dynamic group.

    Example:

    dn: cn=All Users,ou=Groups,dc=example,dc=com
    objectClass: top
    objectClass: groupOfUniqueNames
    objectClass: ds-virtual-static-group
    cn: All Users
    ds-target-group-dn: cn=Dynamic All Users,ou=Groups,dc=example,dc=com
  3. To populate the All Users group with uniqueMember virtual attributes, enable the Virtual Static uniqueMember virtual attribute.

    Example:

    $ bin/dsconfig set-virtual-attribute-prop --name "Virtual Static uniqueMember" \
      --set enabled:true
  4. To confirm that the virtual static group is correctly configured, check a user’s membership in the group.

    Example:

    $ bin/ldapsearch --baseDN "cn=All Users,ou=Groups,dc=example,dc=com" \
      --searchScope base "(uniqueMember=uid=user.0,ou=People,dc=example,dc=com)" 1.1

    Result:

    dn: cn=All Users,ou=Groups,dc=example,dc=com
  5. If a client application requires it, enable the ability to list all members of a virtual static group.

    By default, this feature is disabled.

    Example:

    $ bin/dsconfig set-virtual-attribute-prop --name "Virtual Static uniqueMember" \
      --set allow-retrieving-membership: true

    You can implement the virtual static group using the groupOfNames object class instead of groupOfUniqueNames. To do this, update the Virtual Static member configuration object instead of the Virtual Static uniqueMember configuration object.