PingDirectory

Using inverted static groups with applications

If an application is configured to work with a traditional static group, and you convert that group to an inverted static group, you can use the Traditional Static Group Support for Inverted Static Groups plugin.

About this task

You might encounter some issues related to differences in the way that inverted static groups and traditional static groups manage membership. The Traditional Static Group Support for Inverted Static Groups plugin, which is disabled by default, provides the following support for treating inverted static groups as if they were traditional static groups:

  • Intercepts attempts to add or remove member values and converts them into modify operations of the ds-member-of-inverted-static-group-dn attribute in the corresponding user entries.

  • Generates a member virtual attribute to handle certain kinds of membership queries.

    The virtual attribute can handle attempts to determine whether the group has a specific member. You can optionally generate the attribute with the entire member list, but this can be computationally expensive, depending on the size of the group.

    The virtual attribute only works for compare and baseObject searches. It won’t work for subtree searches that try to find all groups in which a user is a member.

Steps

  • To enable the Traditional Static Group Support for Inverted Static Groups plugin, enter the following command:

    dsconfig set-plugin-prop --plugin-name "Traditional Static Group Support for Inverted Static Groups" --set enabled:true