--- title: Searching dynamic groups description: The following sections describe how to compose searches to determine if a user is a member of a dynamic group, to determine all the dynamic groups in which a user is a member, and to determine all the members of a dynamic group. component: pingdirectory version: 11.0 page_id: pingdirectory:pingdirectory_server_administration_guide:pd_ds_search_dynamic_groups canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectory_server_administration_guide/pd_ds_search_dynamic_groups.html revdate: September 13, 2023 page_aliases: ["pd_ds_determine_user_dynamic_group_member.adoc", "pd_ds_determine_dynamic_group_user_belongs.adoc", "pd_ds_determine_members_of_dynamic_group.adoc"] section_ids: determining-if-a-user-is-a-dynamic-group-member: Determining if a user is a dynamic group member steps: Steps example: Example: example-2: Example: result: Result: determining-the-dynamic-groups-to-which-a-user-belongs: Determining the dynamic groups to which a user belongs steps-2: Steps example-3: Example: example-4: Example: result-2: Result: determining-the-members-of-a-dynamic-group: Determining the members of a dynamic group steps-3: Steps example-5: Example: example-6: Example: --- # Searching dynamic groups The following sections describe how to compose searches to determine if a user is a member of a dynamic group, to determine all the dynamic groups in which a user is a member, and to determine all the members of a dynamic group. ## Determining if a user is a dynamic group member ### Steps * To determine whether a user is a member of a specific dynamic group, run a base-level search to verify that the user's entry is both within the scope of the member URL and that it matches the filter contained in that URL. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can verify that a user's entry is within the scope of the URL using simple client-side only processing. Evaluating the filter against the entry on the client side is more complicated. While possible, especially in clients able to perform schema-aware evaluation, a simple alternative is to perform a base-level search to retrieve the user's entry with the filter contained in the member URL. | #### Example: This table contains the search criteria to determine if the user `uid=john.doe,ou=People,dc=example,dc=com` is a member of the dynamic group with the desired member URL. | | | | -------------------- | ------------------------------------------ | | Base DN | `uid=john.doe,ou=People,dc=example,dc=com` | | Scope | `base` | | Filter | `(ou=Engineering)` | | Requested Attributes | `1.1` | #### Example: ```shell $ bin/ldapsearch --baseDN "uid=john.doe,ou=People,dc=example,dc=com" \ --searchScope base "(ou=Engineering)" "1.1" ``` | | | | - | ----------------------------------------------------------------------------------------------------------------------------- | | | The search requires the user DN to be under the search base defined in the `memberurl` attribute for the user to be a member. | #### Result: If the search returns an entry, then the user is a member of the specified group. If the search does not return any entries, then the user is not a member of the group. ## Determining the dynamic groups to which a user belongs ### Steps * To determine the set of all dynamic groups in which a user is a member, perform a search to find all dynamic group entries defined in the server using a subtree search with a filter of `(objectClass=groupOfURLs)`. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | You should retrieve the `memberURL` attribute so that you can use the logic described in the previous section to determine whether the specified user is a member of each of those groups. | #### Example: The following table contains the search criteria to determine the set of all dynamic groups defined in the `dc=example,dc=com` tree. | | | | -------------------- | --------------------------- | | Base DN | `dc=example,dc=com` | | Scope | `sub` | | Filter | `(objectClass=groupOfURLs)` | | Requested Attributes | `memberURL` | #### Example: ```shell $ bin/ldapsearch --baseDN "dc=example,dc=com" \ --searchScope sub "(objectClass=groupOfURLs)" "memberURL" ``` #### Result: Each entry returned is a dynamic group definition. You can use the base, scope, and filter of its `memberURL` attribute to determine whether the user is a member of that dynamic group. ## Determining the members of a dynamic group ### Steps * To determine all members of a dynamic group, issue a search using the base, scope, and filter of the member URL. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------- | | | The set of requested attributes should reflect the attributes desired from the member user entries or "1.1" if no attributes are needed. | #### Example: This table contains the search criteria to retrieve the list of all members of the group `dc=example,dc=com` with the `cn` and `mail` attributes. | | | | -------------------- | --------------------------- | | Base DN | `dc=example,dc=com` | | Scope | `sub` | | Filter | `(employeeType=contractor)` | | Requested Attributes | `cn, mail` | #### Example: | | | | - | -------------------------------------------------------------------------------------------------------------------------- | | | This search might be extensive if the associated filter is not indexed or if the group contains a large number of members. | ```shell $ bin/ldapsearch --baseDN "dc=example,dc=com" \ --searchScope sub "(employeeType=contractor)" "cn, mail" ```