PingDirectory

Using nesting with inverted static groups

Inverted static groups use a unique attribute for nesting other groups as members within the inverted static group.

Before you begin

You must have the distinguished name (DN) of the nested group that you are adding to the inverted static group. For example, cn=Group to Nest,ou=groups,dc=example,dc=com.

About this task

When configuring nesting within a traditional static group, you add both users and groups to the group entry by defining member or uniqueMember attributes with their DNs. Although this is simple, it doesn’t allow you to systematically distinguish between the group’s individual user members and the members that are actually nested groups.

Inverted static groups make this distinction by storing the nested group member in a unique attribute. Instead of providing the DN of the parent group to the nested group entry, you provide the nested group’s DN to the parent group.

Steps

  • To add a nested group to an inverted static group, add the value of the nested group’s DN to the ds-nested-group-dn attribute in the inverted static group entry.

    Example:

    dn: cn=Example Inverted Static Group,ou=groups,dc=example,dc=com
    changetype: modify
    add: ds-nested-group-dn
    ds-nested-group-dn: cn=Group to Nest,ou=groups,dc=example,dc=com