PingDirectory

Creating virtual static groups

If your application only supports static groups but has scalability issues, using a virtual static group is a possible solution.

About this task

A virtual static group uses a virtual attribute that is dynamically generated when called after which the operations that determine group membership are passed to another group, such as a dynamic group. You must use the ds-virtual-static-group object class and the ds-target-group-dn virtual attribute.

Virtual static groups are best used when determining if a single user is a member of a group. Do not use it if an application accesses the full list of group members because of the performance expense at constructing the list.

If you have a small database and an application that requires that the full membership list be returned, enable the allow-retrieving-membership property for the Virtual Static uniqueMember virtual attribute using the dsconfig tool.

To create a virtual static group:

Steps

  1. In a text editor, create a group entry in LDIF, and then save the file.

    Example:

    In this example, the entry contains the groupOfUniqueNames object class, but in place of the uniquemember attribute is the ds-target-group-dn virtual attribute, which is part of the ds-virtual-static-group auxiliary object class.

    In this example, the file is named add-virtual-static-group.ldif.

    dn: cn=virtualstatic,ou=groups,dc=example,dc=com
objectclass: top
objectclass: groupOfUniqueNames
objectclass: ds-virtual-static-group
ou: groups
cn: virtual static
ds-target-group-dn: cn=eng-staff,ou=groups,dc=example,dc=com

  2. To add the virtual static group entry to the server, use the ldapmodify tool.

    Example:

    $ bin/ldapmodify -h server1.example.com -p 389 -D "uid=admin,dc=example,dc=com" \
  -w password -a -f add-virtual-static-group.ldif

  3. To enable the Virtual Static uniqueMember attribute, use the set-virtual-attribute-prop option with dsconfig.

    This attribute is disabled by default.

    Example:

    $ bin/dsconfig set-virtual-attribute-prop --name "Virtual Static uniqueMember" \
  --set enabled:true

  4. To determine if a user is part of a virtual static group, use ldapsearch.

    Example:

    In Creating dynamic groups, the example sets up uid=user.0 to be part of the cn=eng-staff dynamic group. This example determines if uid=user.0 is part of the virtual static group using the isMemberOf virtual attribute.

    $ bin/ldapsearch -h server1.example.com -p 389 -D "cn=Directory Manager" \
  -w secret -b dc=example,dc=com" "(uid=user.0)" isMemberOf

    Example:

    The following example determines if uid=user.0 is part of the virtual static group without using the isMemberOf virtual attribute in the ldapsearch.

    $ ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password \
  -b "cn=virtualStatic,ou=Groups,dc=example,dc=com" \
  "(&(objectclass=groupOfUniqueNames) \
  (uniquemember=uid=user.0,ou=People,dc=example,dc=com))"

    Result:

    Using the isMemberOf virtual attribute returns the following.

    dn: uid=user.0,ou=People,dc=example,dc=com
isMemberOf: cn=virtualstatic,ou=groups,dc=example,dc=com
isMemberOf: cn=eng-staff,ou=groups,dc=example,dc=com

    You should see the returned cn=virtualstatic entry if successful.

  5. Optional: To try searching for a user that is not part of the cn=eng-staff dynamic group, use ldapsearch.

    Example:

    This example searches for uid=user.20.

    $ ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password \
  -b "cn=virtualStatic,ou=Groups,dc=example,dc=com" \
  "(&(objectclass=groupOfUniqueNames) \
  (uniquemember=uid=user.20,ou=People,dc=example,dc=com))"

    Result:

    No entries are returned.