--- title: Searching static groups description: The following section provides a description of how to compose searches to determine if a user is a member of a static group, to determine all the static groups in which a user is a member, and to determine all the members of a static group. component: pingdirectory version: 11.0 page_id: pingdirectory:pingdirectory_server_administration_guide:pd_ds_search_static_groups canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectory_server_administration_guide/pd_ds_search_static_groups.html revdate: September 13, 2023 page_aliases: ["pd_ds_determine_user_static_group_member.adoc", "pd_ds_determine_static_groups_user_belongs.adoc", "pd_ds_determine_mimbers_of_static_group.adoc"] section_ids: determining-if-a-user-is-a-static-group-member: Determining if a user is a static group member steps: Steps example: Example: example-2: Example: result: Result: example-3: Example: determining-the-static-groups-to-which-a-user-belongs: Determining the static groups to which a user belongs steps-2: Steps example-4: Example: example-5: Example: result-2: Result: determining-the-members-of-a-static-group: Determining the members of a static group steps-3: Steps example-6: Example: example-7: Example: result-3: Result: --- # Searching static groups The following section provides a description of how to compose searches to determine if a user is a member of a static group, to determine all the static groups in which a user is a member, and to determine all the members of a static group. ## Determining if a user is a static group member ### Steps * To determine if a user is a member of a specified group, perform a base-level search to retrieve the group entry with an equality filter looking for the membership attribute of a value equal to the distinguished name (DN) of the specified user. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | For best performance, include a specific attribute list, using either `cn`, or a `1.1` request that no attributes be returned, so that the entire member list is not returned. | #### Example: This table contains the search criteria to determine if the user `uid=john.doe,ou=People,dc=example,dc=com` is a member of the `groupOfNames` static group "`cn=Test Group,ou=Groups,dc=example,dc=com`". | | | | -------------------- | --------------------------------------------------- | | Base DN | `cn=Test Group,ou=Groups,dc=example,dc=com` | | Scope | `base` | | Filter | `(member=uid=john.doe,ou=People,dc=example,dc=com)` | | Requested attributes | `1.1` | #### Example: ```shell $ bin/ldapsearch --baseDN "cn=Test Group,ou=Groups,dc=example,dc=com" --searchScope base "(member=uid=john.doe,ou=People,dc=example,dc=com)" "1.1" ``` #### Result: If the search returns an entry, then the user is a member of the specified group. If the search does not return any entries, then the user is not a member of the group. * If you do not know if the membership attribute for the specified group is `member` or `uniqueMember`, then revise the filter to allow either attribute. #### Example: This example adjusts the filter from the previous step's example to expand the membership attribute to allow for `member` and `uniqueMember` attributes. ``` (|(member=uid=john.doe,ou=People,dc=example,dc=com)(uniqueMember=uid=john.doe,ou=People,dc=example,dc=com)) ``` ## Determining the static groups to which a user belongs ### Steps * To determine the set of all static groups in which a user is specified as a member, perform a subtree search based at the top of the directory information tree (DIT). | | | | - | ------------------------------------------------------------------------------------------------------ | | | Configure the search filter to match any type of static group in which the specified user is a member. | #### Example: The following table contains the search criteria to determine the set of all static groups in which the user `uid=john.doc,ou=People,dc=example,dc=com` is a member. | | | | -------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Base DN | `dc=example,dc=com` | | Scope | `sub` | | Filter | `(\|(&(objectClass=groupOfNames) (member=uid=john.doe,ou=People,dc=example,dc=com)) (&(objectClass=groupOfUniqueNames)(uniqueMem- ber=uid=john.doe,ou=People,dc=example,dc=com)) (&(objectClass=groupOfEntries) (member=uid=john.doe,ou=People,dc=example,dc=com)))` | | Requested attributes | `1.1` | #### Example: ```shell $ bin/ldapsearch --baseDN "dc=example,dc=com" --searchScope sub \ "(|(&(objectClass=groupOfNames) (member=uid=john.doe,ou=People,dc=example,dc=com)) \ (&(objectClass=groupOfUniqueNames)\ (uniqueMember=uid=john.doe,ou=People,dc=example,dc=com)) \ (&(objectClass=groupOfEntries) \ (member=uid=john.doe,ou=People,dc=example,dc=com)))" "1.1" ``` #### Result: Entries returned from the search represent each static group in which the specified user is a member. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | A base level search of the user's entry for `isMemberOf` or `isDirectMemberOf` virtual attributes gives the same results. You can also use the virtual attributes with virtual static groups. | ## Determining the members of a static group ### Steps * To determine all of the members for a static group, retrieve the group entry, including the membership attribute. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | To retrieve attributes from member entries, search all users whose `isMemberOf` attribute contains the group DN, returning the attributes desired.To retrieve additional information about the members, such as attributes from member entries, issue a separate search for each member to retrieve the user entry and the desired attributes. | #### Example: This table contains the search criteria to retrieve the list of all members for the group `cn=Test Group,ou=Groups,dc=example,dc=com`. | | | | -------------------- | ------------------------------------------- | | Base DN | `cn=Test Group,ou=Groups,dc=example,dc=com` | | Scope | `base` | | Filter | `(objectClass=*)` | | Requested attributes | `member uniqueMember` | #### Example: ```shell $ bin/ldapsearch --baseDN "cn=Test Group,ou=Groups,dc=example,dc=com" \ --searchScope base "(objectclass=*)" uniqueMember ``` #### Result: The returned entry includes the DNs of all users that are members of that group.