PingDirectory

Searching dynamic groups

The following sections describe how to compose searches to determine if a user is a member of a dynamic group, to determine all the dynamic groups in which a user is a member, and to determine all the members of a dynamic group.

Determining if a user is a dynamic group member

Steps

  • To determine whether a user is a member of a specific dynamic group, run a base-level search to verify that the user’s entry is both within the scope of the member URL and that it matches the filter contained in that URL.

    You can verify that a user’s entry is within the scope of the URL using simple client-side only processing. Evaluating the filter against the entry on the client side is more complicated. While possible, especially in clients able to perform schema-aware evaluation, a simple alternative is to perform a base-level search to retrieve the user’s entry with the filter contained in the member URL.

    Example:

    This table contains the search criteria to determine if the user uid=john.doe,ou=People,dc=example,dc=com is a member of the dynamic group with the desired member URL.

    Base DN

    uid=john.doe,ou=People,dc=example,dc=com

    Scope

    base

    Filter

    (ou=Engineering)

    Requested Attributes

    1.1

    Example:

    $ bin/ldapsearch --baseDN "uid=john.doe,ou=People,dc=example,dc=com" \
      --searchScope base "(ou=Engineering)" "1.1"

    The search requires the user DN to be under the search base defined in the memberurl attribute for the user to be a member.

    Result:

    If the search returns an entry, then the user is a member of the specified group. If the search does not return any entries, then the user is not a member of the group.

Determining the dynamic groups to which a user belongs

Steps

  • To determine the set of all dynamic groups in which a user is a member, perform a search to find all dynamic group entries defined in the server using a subtree search with a filter of (objectClass=groupOfURLs).

    You should retrieve the memberURL attribute so that you can use the logic described in the previous section to determine whether the specified user is a member of each of those groups.

    Example:

    The following table contains the search criteria to determine the set of all dynamic groups defined in the dc=example,dc=com tree.

    Base DN

    dc=example,dc=com

    Scope

    sub

    Filter

    (objectClass=groupOfURLs)

    Requested Attributes

    memberURL

    Example:

    $ bin/ldapsearch --baseDN "dc=example,dc=com" \
      --searchScope sub "(objectClass=groupOfURLs)" "memberURL"

    Result:

    Each entry returned is a dynamic group definition. You can use the base, scope, and filter of its memberURL attribute to determine whether the user is a member of that dynamic group.

Determining the members of a dynamic group

Steps

  • To determine all members of a dynamic group, issue a search using the base, scope, and filter of the member URL.

    The set of requested attributes should reflect the attributes desired from the member user entries or "1.1" if no attributes are needed.

    Example:

    This table contains the search criteria to retrieve the list of all members of the group dc=example,dc=com with the cn and mail attributes.

    Base DN

    dc=example,dc=com

    Scope

    sub

    Filter

    (employeeType=contractor)

    Requested Attributes

    cn, mail

    Example:

    This search might be extensive if the associated filter is not indexed or if the group contains a large number of members.

    $ bin/ldapsearch --baseDN "dc=example,dc=com" \
      --searchScope sub "(employeeType=contractor)" "cn, mail"