PingDirectory

Using static groups

A static group contains an explicit membership list where each member is represented as a distinguished name (DN)-valued attribute.

There are three types of static groups supported for use in the PingDirectory server: groupOfNames, groupOfUniqueNames, and groupOfEntries. A description for each follows:

groupOfNames

A static group that is defined with the groupOfNames structural object class and uses the member attribute to hold the DNs of its members.

RFC 4519 requires that the member attribute is in an entry. The PingDirectory server has relaxed this restriction by making the member attribute optional so that the last member in the group can be removed. The following entry depicts a group defined with the groupOfNames object class.

dn: cn=Test Group,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: groupOfNames
cn: Test Group
member: uid=user.1,ou=People,dc=example,dc=com
member: uid=user.2,ou=People,dc=example,dc=com
member: uid=user.3,ou=People,dc=example,dc=com
groupOfUniqueNames

A static group that is defined with the groupOfUniqueNames structural object class and uses the uniquemember attribute to hold the DNs of its members

RFC 4519 requires that the uniquemember attribute is in an entry. The PingDirectory server has relaxed this restriction by making the uniquemember attribute optional so that the last member in the group can be removed. The following entry depicts a group defined with the groupOfUniqueNames object class.

dn: cn=Test Group,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: Test Group
uniquemember: uid=user.1,ou=People,dc=example,dc=com
uniquemember: uid=user.2,ou=People,dc=example,dc=com
uniquemember: uid=user.3,ou=People,dc=example,dc=com
groupOfEntries

A static group that is defined with the groupOfEntries object class and uses the member attribute to hold the DNs of its members

This group specifies that the member attribute is optional to ensure that the last member can be removed from the group. Although the draft proposal (draft-findlay-ldap-groupofentries-00.txt) has expired, the PingDirectory server supports this implementation. The following entry depicts a group defined with the groupOfEntries object class.

dn: cn=Test Group,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: groupOfEntries
cn: Test Group
member: uid=user.1,ou=People,dc=example,dc=com
member: uid=user.2,ou=People,dc=example,dc=com
member: uid=user.3,ou=People,dc=example,dc=com