PingDirectory

Creating a static group

About this task

To create a static group:

Steps

  1. Open a text editor and create a group entry in LDIF.

    1. Include the groupOfUniquenames object class and uniquemember attributes.

    2. Optional: If you did not have ou=groups set up in your server, add it in the same file.

    3. Save the file.

      Example:

      In the following example, the file is named static-group.ldif.

      This example LDIF file creates two groups: cn=Development and cn=QA.

      dn: ou=groups,dc=example,dc=com
objectclass: top
objectclass: organizationalunit
ou: groups

dn: cn=Development,ou=groups,dc=example,dc=com
objectclass: top
objectclass: groupOfUniqueNames
cn: Development
ou: groups
uniquemember: uid=user.14,ou=People,dc=example,dc=com
uniquemember: uid=user.91,ou=People,dc=example,dc=com
uniquemember: uid=user.180,ou=People,dc=example,dc=com

dn: cn=QA,ou=groups,dc=example,dc=com
objectclass: top
objectclass: groupOfUniqueNames
cn: QA
ou: groups
uniquemember: uid=user.0,ou=People,dc=example,dc=com
uniquemember: uid=user.1,ou=People,dc=example,dc=com
uniquemember: uid=user.2,ou=People,dc=example,dc=com

  2. To add the group entries to the server, use the ldapmodify tool.

    Example:

    $ bin/ldapmodify --defaultAdd --filename static-group.ldif

  3. To verify the configuration, use the virtual attribute isDirectMemberOf that checks membership for a non-nested group.

    The virtual attribute is disabled by default, but you can enable it using dsconfig.

    Example:

    $ bin/dsconfig set-virtual-attribute-prop --name isDirectMemberOf --set enabled:true

  4. To determine if a user is a member of a certain group, use ldapsearch to search the isDirectMemberOf virtual attribute.

    Example:

    This example inquires if uid=user.14 is a member of the cn=Development group.

    This example assumes that the administrator has the privilege to view operational attributes.

    $ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.14)" isDirectMemberOf

    Result:

    dn: uid=user.14,ou=People,dc=example,dc=com
isDirectMemberOf: cn=Development,ou=groups,dc=example,dc=com

  5. Use the group as a target in access control instructions (ACI).

    1. Open a text editor and create an aci attribute in an LDIF file.

    2. Save the file.

    3. To add the file, use the ldapmodify tool.

      Example:

      In this example, the file is named dev-group-aci.ldif.

      dn: ou=People,dc=example,dc=com
changetype: modify
add: aci
aci: (target ="ldap:///ou=People,dc=example,dc=com")
  (targetattr != "cn || sn || uid")
  (targetfilter ="(ou=Development)")
  (version 3.0; acl "Dev Group Permissions";
    allow (write) (groupdn = "ldap:///cn=Development,ou=groups,dc=example,dc=com");)

      You can create a similar ACI for the QA group, which is not shown in the previous example, but is shown in the example for step 1.

  6. To add the file, use the ldapmodify tool.

    Example:

    $ bin/ldapmodify --filename dev-group-aci.ldif