--- title: Creating static groups description: Using an LDIF file, you can configure a static group. Static groups contain a membership list of explicit distinguished names (DNs) specified by the uniquemember attribute. component: pingdirectory version: 11.0 page_id: pingdirectory:pingdirectory_server_administration_guide:pd_ds_create_static_groups canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectory_server_administration_guide/pd_ds_create_static_groups.html revdate: September 13, 2023 page_aliases: ["pd_ds_creating_a_static_group.adoc", "pd_ds_add_new_member_static_group.adoc", "pd_ds_remove_member_from_static_group.adoc"] section_ids: creating-a-static-group: Creating a static group about-this-task: About this task steps: Steps example: Example: example-2: Example: example-3: Example: example-4: Example: result: Result: example-5: Example: example-6: Example: adding-a-new-member-to-a-static-group: Adding a new member to a static group steps-2: Steps example-7: Example: removing-a-member-from-a-static-group: Removing a member from a static group steps-3: Steps example-8: Example: --- # Creating static groups Using an LDIF file, you can configure a static group. Static groups contain a membership list of explicit distinguished names (DNs) specified by the `uniquemember` attribute. ## Creating a static group ### About this task To create a static group: ### Steps 1. Open a text editor and create a group entry in LDIF. 1. Include the `groupOfUniquenames` object class and `uniquemember` attributes. 2. (Optional) If you did not have `ou=groups` set up in your server, add it in the same file. 3. Save the file. #### Example: In the following example, the file is named `static-group.ldif`. This example LDIF file creates two groups: `cn=Development` and `cn=QA`. ``` dn: ou=groups,dc=example,dc=com objectclass: top objectclass: organizationalunit ou: groups dn: cn=Development,ou=groups,dc=example,dc=com objectclass: top objectclass: groupOfUniqueNames cn: Development ou: groups uniquemember: uid=user.14,ou=People,dc=example,dc=com uniquemember: uid=user.91,ou=People,dc=example,dc=com uniquemember: uid=user.180,ou=People,dc=example,dc=com dn: cn=QA,ou=groups,dc=example,dc=com objectclass: top objectclass: groupOfUniqueNames cn: QA ou: groups uniquemember: uid=user.0,ou=People,dc=example,dc=com uniquemember: uid=user.1,ou=People,dc=example,dc=com uniquemember: uid=user.2,ou=People,dc=example,dc=com ``` 2. To add the group entries to the server, use the `ldapmodify` tool. #### Example: ```shell $ bin/ldapmodify --defaultAdd --filename static-group.ldif ``` 3. To verify the configuration, use the virtual attribute `isDirectMemberOf` that checks membership for a non-nested group. The virtual attribute is disabled by default, but you can enable it using `dsconfig`. #### Example: ```shell $ bin/dsconfig set-virtual-attribute-prop --name isDirectMemberOf --set enabled:true ``` 4. To determine if a user is a member of a certain group, use `ldapsearch` to search the `isDirectMemberOf` virtual attribute. #### Example: This example inquires if `uid=user.14` is a member of the `cn=Development` group. This example assumes that the administrator has the privilege to view operational attributes. ```shell $ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.14)" isDirectMemberOf ``` #### Result: ``` dn: uid=user.14,ou=People,dc=example,dc=com isDirectMemberOf: cn=Development,ou=groups,dc=example,dc=com ``` 5. Use the group as a target in access control instructions (ACI). 1. Open a text editor and create an `aci` attribute in an LDIF file. 2. Save the file. 3. To add the file, use the `ldapmodify` tool. #### Example: In this example, the file is named `dev-group-aci.ldif`. ``` dn: ou=People,dc=example,dc=com changetype: modify add: aci aci: (target ="ldap:///ou=People,dc=example,dc=com") (targetattr != "cn || sn || uid") (targetfilter ="(ou=Development)") (version 3.0; acl "Dev Group Permissions"; allow (write) (groupdn = "ldap:///cn=Development,ou=groups,dc=example,dc=com");) ``` | | | | - | ---------------------------------------------------------------------------------------------------------------------------------- | | | You can create a similar ACI for the QA group, which is not shown in the previous example, but is shown in the example for step 1. | 6. To add the file, use the `ldapmodify` tool. #### Example: ```shell $ bin/ldapmodify --filename dev-group-aci.ldif ``` ## Adding a new member to a static group ### Steps * To add a new member to the group, add a new value for the `uniquemember` attribute that specifies the DN of the new user. #### Example: This example adds a new `uniquemember`: `user.4`. ``` dn: cn=QA,ou=Groups,dc=example,dc=com changetype: modify add: uniquemember uniquemember: uid=user.4,ou=People,dc=example,dc=com ``` ## Removing a member from a static group ### Steps * To remove a member from a static group, remove that user's DN from the `uniquemember` attribute. #### Example: This example removes the DN of `user.1`. ``` dn: cn=QA,ou=Groups,dc=example,dc=com changetype: modify delete: uniquemember uniquemember: uid=user.1,ou=People,dc=example,dc=com ```