Creating nested groups
PingDirectory server supports nested groups where the distinguished name (DN) of an entry that defines a group is included as a member in the parent entry.
About this task
The following example shows a nested static group, such as
cn=Engineering Group
, that has uniquemember
attributes consisting of other groups, such as
cn=Developers Group
and the cn=QA Group
respectively.
dn: cn=Engineering Group,ou=Groups,dc=example,dc=com objectclass: top objectclass: groupOfUniqueNames cn: Engineering Group uniquemember: cn=Developers,ou=Groups,dc=example,dc=com uniquemember: cn=QA,ou=Groups,dc=example,dc=com
By default, nested group support is enabled on the PingDirectory server.
The PingDirectory server uses a group cache to support nested groups without the performance hit. The cache supports static group nesting that includes other
static, virtual static, and dynamic groups. The server provides a new monitoring entry for the group cache, cn=Group Cache,cn=Monitor
.
In practice, nested groups are not commonly used for the following reasons:
-
LDAP specifications do not directly address the concept of nested groups, and some servers do not provide any level of support for them.
-
Supporting nested groups in LDAP clients is not trivial, and many PingDirectory server-enabled applications that can interact with groups do not provide any support for nesting.
Disable this support if:
|
To create nested static groups:
Steps
-
Open a text editor, and create a group entry in LDIF.
-
Include the
groupOfUniquenames
object class anduniquemember
attributes. -
If you did not have
ou=groups
set up in your server, then add it in the same file. -
Save the file as
nested-group.ldif
.Assume that the static groups,
cn=Developers Group
andcn=QA Group
, have been configured.Example:
The following example shows how to set up a nested static group, which is a static group that contains
uniquemember
attributes whose values contain other groups (static, virtual static, or dynamic).dn: ou=groups,dc=example,dc=com objectclass: top objectclass: organizationalunit ou: groups dn: cn=Engineering Group,ou=groups,dc=example,dc=com objectclass: top objectclass: groupOfUniqueNames cn: Engineering Group uniquemember: cn=Developers,ou=groups,dc=example,dc=com uniquemember: cn=QA,ou=groups,dc=example,dc=com
-
-
To add the group entry, use
ldapmodify
.Example:
$ bin/ldapmodify --defaultAdd --filename nested-static-group.ldif
-
Using the
isMemberOf
virtual attribute that checks the group membership for an entry, verify the configuration.By default, the virtual attribute is enabled. Use
ldapsearch
to specifically search theisMemberOf
virtual attribute to determine ifuid=user.14
is a member of thecn=Development
group.Example:
In this example, assume that the administrator has the privilege to view operational attributes.
$ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.14)" isMemberOf dn: uid=user.14,ou=People,dc=example,dc=com isMemberOf: cn=Development,ou=groups,dc=example,dc=com
-
In a text editor, create an Access control instruction (ACI) in LDIF. Save the file as
eng-group-aci.ldif
.Use the group as a target in ACI.
Example:
dn: ou=People,dc=example,dc=com changetype: modify add: aci aci: (target ="ldap:///ou=People,dc=example,dc=com") (targetattr != "cn || sn || uid") (targetfilter ="(ou=Engineering Group)") (version 3.0; acl "Engineering Group Permissions"; allow (write) (groupdn = "ldap:///cn=Engineering Group,ou=groups,dc=example,dc=com");)
-
Add the file using the
ldapmodify
tool.Example:
$ bin/ldapmodify --filename eng-group-aci.ldif
When nesting dynamic groups, you cannot include other groups as members of a dynamic group. You can only support nesting by including the members of another group with a filter in the member URL. For example, if you have two groups,
cn=dynamic1
andcn=dynamic2
, you can nest one group in another by specifying it in the member URL.cn=dynamic1,ou=groups,dc=example,dc=com objectClass: top objectClass: groupOfURLs memberURL: ldap:///dc=example,dc=com??sub?(isMemberOf=cn=dynamic2,ou=groups,dc=example,dc=com)
The members included from the other group using this method are not considered nested members and are returned even when using
isDirectMemberOf
when retrieving the members.