Creating inverted static groups
You can create an inverted static group to mitigate performance losses associated with a static group that has a large member list.
About this task
To create an inverted static group, do the following:
Steps
-
Open a text editor and create a group entry in LDIF:
-
Include the
ds-inverted-static-groupobject class. -
If you don’t have
ou=groupsset up in your server, add it in the same file. -
Save the file.
Example:
This example LDIF file,
inverted-static-group.ldif, creates one group,cn=Example Inverted Static Group.dn: cn=Example Inverted Static Group,ou=groups,dc=example,dc=com objectclass: top objectclass: ds-inverted-static-group cn: Example Inverted Static Group ou: groups
-
-
To add the group entries to the server, use the
ldapmodifytool.Example:
$ bin/ldapmodify --defaultAdd --filename inverted-static-group.ldif
Adding or removing inverted static group members
Steps
-
To add a member to the group, in the member entry, add the DN of the inverted static group to the DN of the
ds-member-of-inverted-static-group-dnattribute.Example:
dn: uid=gwashington,ou=people,dc=example,dc=com changetype: modify add: ds-member-of-inverted-static-group-dn ds-member-of-inverted-static-group-dn: cn=Example Inverted Static Group,ou=groups,dc=example,dc=com
-
To remove a member from the group, in the member entry, delete the DN of the inverted static group from the
ds-member-of-inverted-static-group-dnattribute by changing the previous operation fromaddtodelete.
Using nesting with inverted static groups
Inverted static groups use a unique attribute for nesting other groups as members within the inverted static group.
Before you begin
You must have the distinguished name (DN) of the nested group that you are adding to the inverted static group. For example, cn=Group to
Nest,ou=groups,dc=example,dc=com.
About this task
When configuring nesting within a traditional static group, you add both users and groups to the group entry by defining member or uniqueMember attributes with their DNs. Although this is simple, it doesn’t allow you to systematically distinguish between the group’s individual user members and the members that are actually nested groups.
Inverted static groups make this distinction by storing the nested group member in a unique attribute. Instead of providing the DN of the parent group to the nested group entry, you provide the nested group’s DN to the parent group.
Steps
-
To add a nested group to an inverted static group, add the value of the nested group’s DN to the
ds-nested-group-dn attributein the inverted static group entry.Example:
dn: cn=Example Inverted Static Group,ou=groups,dc=example,dc=com changetype: modify add: ds-nested-group-dn ds-nested-group-dn: cn=Group to Nest,ou=groups,dc=example,dc=com