PingDirectory

Creating nested groups

PingDirectory server supports nested groups where the distinguished name (DN) of an entry that defines a group is included as a member in the parent entry.

About this task

The following example shows a nested static group, such as cn=Engineering Group, that has uniquemember attributes consisting of other groups, such as cn=Developers Group and the cn=QA Group respectively.

dn: cn=Engineering Group,ou=Groups,dc=example,dc=com
objectclass: top
objectclass: groupOfUniqueNames
cn: Engineering Group
uniquemember: cn=Developers,ou=Groups,dc=example,dc=com
uniquemember: cn=QA,ou=Groups,dc=example,dc=com

By default, nested group support is enabled on the PingDirectory server.

The PingDirectory server uses a group cache to support nested groups without the performance hit. The cache supports static group nesting that includes other static, virtual static, and dynamic groups. The server provides a new monitoring entry for the group cache, cn=Group Cache,cn=Monitor.

In practice, nested groups are not commonly used for the following reasons:

  • LDAP specifications do not directly address the concept of nested groups, and some servers do not provide any level of support for them.

  • Supporting nested groups in LDAP clients is not trivial, and many PingDirectory server-enabled applications that can interact with groups do not provide any support for nesting.

Disable this support if:

  • Nesting support is not needed in your environment.

  • Nesting support is only required for clients but is not needed for server-side evaluation, such as for groups used in access control rules, criteria, virtual attributes, or other ways that the server might need to make a membership determination.

To create nested static groups:

Steps

  1. Open a text editor, and create a group entry in LDIF.

    1. Include the groupOfUniquenames object class and uniquemember attributes.

    2. If you did not have ou=groups set up in your server, then add it in the same file.

    3. Save the file as nested-group.ldif.

      Assume that the static groups, cn=Developers Group and cn=QA Group, have been configured.

      Example:

      The following example shows how to set up a nested static group, which is a static group that contains uniquemember attributes whose values contain other groups (static, virtual static, or dynamic).

      dn: ou=groups,dc=example,dc=com
      objectclass: top
      objectclass: organizationalunit
      ou: groups
      
      dn: cn=Engineering Group,ou=groups,dc=example,dc=com
      objectclass: top
      objectclass: groupOfUniqueNames
      cn: Engineering Group
      uniquemember: cn=Developers,ou=groups,dc=example,dc=com
      uniquemember: cn=QA,ou=groups,dc=example,dc=com
  2. To add the group entry, use ldapmodify.

    Example:

    $ bin/ldapmodify --defaultAdd --filename nested-static-group.ldif
  3. Using the isMemberOf virtual attribute that checks the group membership for an entry, verify the configuration.

    By default, the virtual attribute is enabled. Use ldapsearch to specifically search the isMemberOf virtual attribute to determine if uid=user.14 is a member of the cn=Development group.

    Example:

    In this example, assume that the administrator has the privilege to view operational attributes.

    $ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.14)" isMemberOf
    
    dn: uid=user.14,ou=People,dc=example,dc=com
    isMemberOf: cn=Development,ou=groups,dc=example,dc=com
  4. In a text editor, create an Access control instruction (ACI) in LDIF. Save the file as eng-group-aci.ldif.

    Use the group as a target in ACI.

    Example:

    dn: ou=People,dc=example,dc=com
    changetype: modify
    add: aci
    aci: (target ="ldap:///ou=People,dc=example,dc=com")
      (targetattr != "cn || sn || uid")
      (targetfilter ="(ou=Engineering Group)")
      (version 3.0; acl "Engineering Group Permissions";
        allow (write) (groupdn = "ldap:///cn=Engineering Group,ou=groups,dc=example,dc=com");)
  5. Add the file using the ldapmodify tool.

    Example:

    $ bin/ldapmodify --filename eng-group-aci.ldif

    When nesting dynamic groups, you cannot include other groups as members of a dynamic group. You can only support nesting by including the members of another group with a filter in the member URL. For example, if you have two groups, cn=dynamic1 and cn=dynamic2, you can nest one group in another by specifying it in the member URL.

    cn=dynamic1,ou=groups,dc=example,dc=com
    objectClass: top
    objectClass: groupOfURLs
    memberURL: ldap:///dc=example,dc=com??sub?(isMemberOf=cn=dynamic2,ou=groups,dc=example,dc=com)

    The members included from the other group using this method are not considered nested members and are returned even when using isDirectMemberOf when retrieving the members.