--- title: Creating dynamic groups description: Configure a dynamic group in the same manner as static groups using an LDIF file. component: pingdirectory version: 11.0 page_id: pingdirectory:pingdirectory_server_administration_guide:pd_ds_create_dynamic_groups canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectory_server_administration_guide/pd_ds_create_dynamic_groups.html revdate: May 10, 2024 section_ids: about-this-task: About this task steps: Steps result: Result: example: Example: result-2: Result: example-2: Example: example-3: Example: example-4: Example: example-5: Example: result-3: Result: example-6: Example: example-7: Example: example-8: Example: result-4: Result: --- # Creating dynamic groups Configure a dynamic group in the same manner as static groups using an LDIF file. ## About this task Dynamic groups contain a membership list of attributes determined by search filter using an LDAP URL. You must use the `groupOfURLs` object class and the `memberURL` attribute. ## Steps 1. Use `ldapsearch` to verify that `uid=user.15` is not part of any group. 1. Assume that `uid=user.15` is not part of any group. You add the user to the dynamic group in a later step. ### Result: ``` dn: uid=user.15,ou=People,dc=example,dc=com ``` 2. Assume for this example that `uid=user.0` has an `ou=Engineering` attribute indicating that he or she is a member of the engineering department. ### Example: ```shell $ bin/ldapsearch --baseDN dc=example,dc=com --searchScope sub "(uid=user.0)" ou isMemberOf ``` ### Result: ``` dn: uid=user.0,ou=People,dc=example,dc=com ou: Engineering ``` ### Example: ```shell $ bin/ldapsearch --baseDN dc=example,dc=com --searchScope sub "(uid=user.15)" ou ``` 2. Open a text editor, and then create a dynamic group entry in LDIF. Save the file as `add-dynamic-group.ldif`. The LDIF defines the dynamic group to include all users who have the `ou=Engineering` attribute. ### Example: ``` dn: cn=eng-staff,ou=groups,dc=example,dc=com objectclass: top objectclass: groupOfURLs ou: groups cn: eng-staff memberURL: ldap:///ou=People,dc=example,dc=com??sub?(ou=Engineering) ``` 3. Use `ldapmodify` to add the group entry to the server. ### Example: ```shell $ bin/ldapmodify --defaultAdd --filename add-dynamic-group.ldif ``` 4. Use `ldapsearch` to specifically search the `isMemberOf` virtual attribute to determine if `uid=user.0` is a member of the `cn=Engineering` group or any other group. ### Example: ```shell $ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.0)" isMemberOf ``` ### Result: ``` dn: uid=user.0,ou=People,dc=example,dc=com isMemberOf: cn=eng-staff,ou=groups,dc=example,dc=com ``` 5. Run the following command to return the DNs of entries that are part of the `cn=eng-staff` dynamic group and sort them in ascending order by the `sn` attribute. If your data is relatively small (under 1 million entries), you can search for all users in the group that meet the search criteria (`ou=Engineering`). For larger databases, it is not practical to run a database-wide search for all users as there can be a performance hit on the PingDirectory server. ### Example: ```shell $ bin/ldapsearch --baseDN dc=example,dc=com --sortOrder sn \ "(isMemberOf=cn=eng-staff,ou=groups,dc=example,dc=com)" dn ``` 6. Add `uid=user.15` to the `eng-staff` group by adding an `ou=Engineering` attribute to the entry. This step highlights an advantage of dynamic groups: you can make a change in an entry without explicitly adding the DN to the group as you would with static groups. The entry is automatically added to the `eng-staff` dynamic group. ### Example: ```shell $ bin/ldapmodify dn: uid=user.15,ou=People,dc=example,dc=com changetype: modify add: ou ou: Engineering ``` 7. Use `ldapsearch` to check if the user is part of the `cn=eng-staff` dynamic group. ### Example: ```shell $ bin/ldapsearch --baseDN dc=example,dc=com --searchScope sub "(uid=user.15)" isMemberOf ``` ### Result: ``` dn: uid=user.15,ou=People,dc=example,dc=com isMemberOf: cn=eng-staff,ou=groups,dc=example,dc=com ```