Creating static groups
Using an LDIF file, you can configure a static group. Static groups contain a membership list of explicit distinguished names (DNs) specified by the uniquemember
attribute.
Creating a static group
About this task
To create a static group:
Steps
-
Open a text editor and create a group entry in LDIF.
-
Include the
groupOfUniquenames
object class anduniquemember
attributes. -
Optional: If you did not have
ou=groups
set up in your server, add it in the same file. -
Save the file.
Example:
In the following example, the file is named
static-group.ldif
.This example LDIF file creates two groups:
cn=Development
andcn=QA
.dn: ou=groups,dc=example,dc=com objectclass: top objectclass: organizationalunit ou: groups dn: cn=Development,ou=groups,dc=example,dc=com objectclass: top objectclass: groupOfUniqueNames cn: Development ou: groups uniquemember: uid=user.14,ou=People,dc=example,dc=com uniquemember: uid=user.91,ou=People,dc=example,dc=com uniquemember: uid=user.180,ou=People,dc=example,dc=com dn: cn=QA,ou=groups,dc=example,dc=com objectclass: top objectclass: groupOfUniqueNames cn: QA ou: groups uniquemember: uid=user.0,ou=People,dc=example,dc=com uniquemember: uid=user.1,ou=People,dc=example,dc=com uniquemember: uid=user.2,ou=People,dc=example,dc=com
-
-
To add the group entries to the server, use the
ldapmodify
tool.Example:
$ bin/ldapmodify --defaultAdd --filename static-group.ldif
-
To verify the configuration, use the virtual attribute
isDirectMemberOf
that checks membership for a non-nested group.The virtual attribute is disabled by default, but you can enable it using
dsconfig
.Example:
$ bin/dsconfig set-virtual-attribute-prop --name isDirectMemberOf --set enabled:true
-
To determine if a user is a member of a certain group, use
ldapsearch
to search theisDirectMemberOf
virtual attribute.Example:
This example inquires if
uid=user.14
is a member of thecn=Development
group.This example assumes that the administrator has the privilege to view operational attributes.
$ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.14)" isDirectMemberOf
Result:
dn: uid=user.14,ou=People,dc=example,dc=com isDirectMemberOf: cn=Development,ou=groups,dc=example,dc=com
-
Use the group as a target in access control instructions (ACI).
-
Open a text editor and create an
aci
attribute in an LDIF file. -
Save the file.
-
To add the file, use the
ldapmodify
tool.Example:
In this example, the file is named
dev-group-aci.ldif
.dn: ou=People,dc=example,dc=com changetype: modify add: aci aci: (target ="ldap:///ou=People,dc=example,dc=com") (targetattr != "cn || sn || uid") (targetfilter ="(ou=Development)") (version 3.0; acl "Dev Group Permissions"; allow (write) (groupdn = "ldap:///cn=Development,ou=groups,dc=example,dc=com");)
You can create a similar ACI for the QA group, which is not shown in the previous example, but is shown in the example for step 1.
-
-
To add the file, use the
ldapmodify
tool.Example:
$ bin/ldapmodify --filename dev-group-aci.ldif
Adding a new member to a static group
Steps
-
To add a new member to the group, add a new value for the
uniquemember
attribute that specifies the DN of the new user.Example:
This example adds a new
uniquemember
:user.4
.dn: cn=QA,ou=Groups,dc=example,dc=com changetype: modify add: uniquemember uniquemember: uid=user.4,ou=People,dc=example,dc=com
Removing a member from a static group
Steps
-
To remove a member from a static group, remove that user’s DN from the
uniquemember
attribute.Example:
This example removes the DN of
user.1
.dn: cn=QA,ou=Groups,dc=example,dc=com changetype: modify delete: uniquemember uniquemember: uid=user.1,ou=People,dc=example,dc=com