Creating virtual static groups
If your application only supports static groups but has scalability issues, using a virtual static group is a possible solution.
About this task
A virtual static group uses a virtual attribute that is dynamically generated when called after which the operations that determine group membership are passed to another group, such as a dynamic group. You must use the ds-virtual-static-group
object class and the ds-target-group-dn
virtual attribute.
Virtual static groups are best used when determining if a single user is a member of a group. Do not use it if an application accesses the full list of group members because of the performance expense at constructing the list.
If you have a small database and an application that requires that the full membership list be returned, enable the |
To create a virtual static group:
Steps
-
In a text editor, create a group entry in LDIF, and then save the file.
Example:
In this example, the entry contains the
groupOfUniqueNames
object class, but in place of theuniquemember
attribute is theds-target-group-dn
virtual attribute, which is part of theds-virtual-static-group
auxiliary object class.In this example, the file is named
add-virtual-static-group.ldif
.dn: cn=virtualstatic,ou=groups,dc=example,dc=com objectclass: top objectclass: groupOfUniqueNames objectclass: ds-virtual-static-group ou: groups cn: virtual static ds-target-group-dn: cn=eng-staff,ou=groups,dc=example,dc=com
-
To add the virtual static group entry to the server, use the
ldapmodify
tool.Example:
$ bin/ldapmodify -h server1.example.com -p 389 -D "uid=admin,dc=example,dc=com" \ -w password -a -f add-virtual-static-group.ldif
-
To enable the Virtual Static
uniqueMember
attribute, use theset-virtual-attribute-prop
option withdsconfig
.This attribute is disabled by default.
Example:
$ bin/dsconfig set-virtual-attribute-prop --name "Virtual Static uniqueMember" \ --set enabled:true
-
To determine if a user is part of a virtual static group, use
ldapsearch
.Example:
In Creating dynamic groups, the example sets up
uid=user.0
to be part of thecn=eng-staff
dynamic group. This example determines ifuid=user.0
is part of the virtual static group using theisMemberOf
virtual attribute.$ bin/ldapsearch -h server1.example.com -p 389 -D "cn=Directory Manager" \ -w secret -b dc=example,dc=com" "(uid=user.0)" isMemberOf
Example:
The following example determines if
uid=user.0
is part of the virtual static group without using theisMemberOf
virtual attribute in theldapsearch
.$ ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password \ -b "cn=virtualStatic,ou=Groups,dc=example,dc=com" \ "(&(objectclass=groupOfUniqueNames) \ (uniquemember=uid=user.0,ou=People,dc=example,dc=com))"
Result:
Using the
isMemberOf
virtual attribute returns the following.dn: uid=user.0,ou=People,dc=example,dc=com isMemberOf: cn=virtualstatic,ou=groups,dc=example,dc=com isMemberOf: cn=eng-staff,ou=groups,dc=example,dc=com
You should see the returned
cn=virtualstatic
entry if successful. -
Optional: To try searching for a user that is not part of the
cn=eng-staff
dynamic group, useldapsearch
.Example:
This example searches for
uid=user.20
.$ ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password \ -b "cn=virtualStatic,ou=Groups,dc=example,dc=com" \ "(&(objectclass=groupOfUniqueNames) \ (uniquemember=uid=user.20,ou=People,dc=example,dc=com))"
Result:
No entries are returned.