--- title: Groups description: DS servers support several methods of grouping entries: component: pingds version: 8.1 page_id: pingds:config-guide:groups canonical_url: https://docs.pingidentity.com/pingds/8.1/config-guide/groups.html revdate: 2025-10-22T14:42:39Z keywords: ["Features", "Groups", "LDAP", "Setup & Configuration"] section_ids: dynamic-groups: Dynamic groups virtual-static-groups: Virtual static groups static-groups: Static groups nested-groups: Nested groups group-membership: Group membership referential-integrity: Referential integrity --- # Groups DS servers support several methods of grouping entries: * [Dynamic groups](#dynamic-groups) look up their membership based on an LDAP filter. * [Static groups](#static-groups) list each member. Static groups are easy to start, but can become large and expensive to maintain. For static groups, you must have a mechanism to remove members whose entries are deleted, and members whose entries are modified in a way that ends their membership. DS servers use a *referential integrity* plugin for this. * [Virtual static groups](#virtual-static-groups) use a dynamic group-style definition, but let applications list group members as if the group were static. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The examples that follow assume `ou=Groups,dc=example,dc=com` already exists. The `ds-evaluation` profile includes this entry by default. If you are using another profile, you can create the groups entry:```console $ ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=admin \ --bindPassword password << EOF dn: ou=Groups,dc=example,dc=com objectClass: organizationalunit objectClass: top ou: Groups EOF ``` | ## Dynamic groups A dynamic group *(tooltip: \

A group specifying members with LDAP URLs.\

)* references members using LDAP URLs *(tooltip: \

A standard uniform resource locator for accessing entries in a directory.\

)*. Dynamic group entries take the `groupOfURLs` object class, with one or more `memberURL` values specifying LDAP URLs to identify group members. Dynamic groups are a natural fit for directory servers. If you have a choice, choose dynamic groups over static groups for these reasons: * Dynamic group membership is a property of a member's entry. There is no need to maintain a separate entry with the list of members. * Determining dynamic group membership is as simple as applying the member URL criteria. * Dynamic groups scale to any size without performance issues. Dynamic group entries remain small even when the group has a large number of members. The following dynamic group includes entries matching the filter `"(l=San Francisco)"` (users whose location is San Francisco): ```console $ ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=kvaughan,ou=People,dc=example,dc=com \ --bindPassword bribery << EOF dn: cn=My Dynamic Group,ou=Groups,dc=example,dc=com cn: My Dynamic Group objectClass: top objectClass: groupOfURLs ou: Groups memberURL: ldap:///ou=People,dc=example,dc=com??sub?l=San Francisco EOF ``` Group membership changes dynamically as entries change to match the `memberURL` values: ```console $ ldapsearch \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=kvaughan,ou=People,dc=example,dc=com \ --bindPassword bribery \ --baseDN dc=example,dc=com \ "(&(uid=*jensen)(isMemberOf=cn=My Dynamic Group,ou=Groups,dc=example,dc=com))" \ 1.1 ``` > **Collapse: Show output** > > ``` > dn: uid=bjensen,ou=People,dc=example,dc=com > > dn: uid=rjensen,ou=People,dc=example,dc=com > ``` ```console $ ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=kvaughan,ou=People,dc=example,dc=com \ --bindPassword bribery << EOF dn: uid=ajensen,ou=People,dc=example,dc=com changetype: modify replace: l l: San Francisco EOF $ ldapsearch \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=kvaughan,ou=People,dc=example,dc=com \ --bindPassword bribery \ --baseDN dc=example,dc=com \ "(&(uid=*jensen)(isMemberOf=cn=My Dynamic Group,ou=Groups,dc=example,dc=com))" \ 1.1 ``` > **Collapse: Show output** > > ``` > dn: uid=ajensen,ou=People,dc=example,dc=com > > dn: uid=bjensen,ou=People,dc=example,dc=com > > dn: uid=rjensen,ou=People,dc=example,dc=com > ``` ## Virtual static groups DS servers let you create virtual static groups *(tooltip: \

An entry representing dynamic groups as static groups.\

)*. Virtual static groups allow applications to display dynamic groups as if they had an enumerated list of members like a static group. The virtual static group takes the auxiliary object class `ds-virtual-static-group`. Virtual static groups use the object class `groupOfNames`, or `groupOfUniqueNames`. Instead of `member` or `uniqueMember` attributes, they have `ds-target-group-dn` attributes pointing to other groups. Generating the list of members can be resource-intensive for large groups. By default, you cannot retrieve the list of members. If you have an application that must read the list of members, change the configuration of `Virtual Static member` or `Virtual Static uniqueMember` to set `allow-retrieving-membership:true`: ```console $ dsconfig \ set-virtual-attribute-prop \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --name "Virtual Static member" \ --set allow-retrieving-membership:true \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-prompt ``` The following example creates a virtual static group, and reads the group entry with all members: ```console $ ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=kvaughan,ou=People,dc=example,dc=com \ --bindPassword bribery << EOF dn: cn=Virtual Static,ou=Groups,dc=example,dc=com cn: Virtual Static objectclass: top objectclass: groupOfNames objectclass: ds-virtual-static-group ds-target-group-dn: cn=My Dynamic Group,ou=Groups,dc=example,dc=com EOF $ ldapsearch \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=kvaughan,ou=People,dc=example,dc=com \ --bindPassword bribery \ --baseDN dc=example,dc=com \ "(cn=Virtual Static)" ``` > **Collapse: Show output** > > ``` > dn: cn=Virtual Static,ou=Groups,dc=example,dc=com > objectClass: top > objectClass: groupOfNames > objectClass: ds-virtual-static-group > cn: Virtual Static > ds-target-group-dn: cn=My Dynamic Group,ou=Groups,dc=example,dc=com > member: uid=abergin,ou=People,dc=example,dc=com > member: uid=ajensen,ou=People,dc=example,dc=com > member: uid=aknutson,ou=People,dc=example,dc=com > member: uid=awalker,ou=People,dc=example,dc=com > member: uid=aworrell,ou=People,dc=example,dc=com > member: uid=bjensen,ou=People,dc=example,dc=com > member: uid=bplante,ou=People,dc=example,dc=com > member: uid=btalbot,ou=People,dc=example,dc=com > member: uid=cwallace,ou=People,dc=example,dc=com > member: uid=dakers,ou=People,dc=example,dc=com > member: uid=dthorud,ou=People,dc=example,dc=com > member: uid=ewalker,ou=People,dc=example,dc=com > member: uid=gfarmer,ou=People,dc=example,dc=com > member: uid=jbourke,ou=People,dc=example,dc=com > member: uid=jcampaig,ou=People,dc=example,dc=com > member: uid=jmuffly,ou=People,dc=example,dc=com > member: uid=jreuter,ou=People,dc=example,dc=com > member: uid=jwalker,ou=People,dc=example,dc=com > member: uid=kcarter,ou=People,dc=example,dc=com > member: uid=kschmith,ou=People,dc=example,dc=com > member: uid=mjablons,ou=People,dc=example,dc=com > member: uid=mlangdon,ou=People,dc=example,dc=com > member: uid=mschneid,ou=People,dc=example,dc=com > member: uid=mtalbot,ou=People,dc=example,dc=com > member: uid=mtyler,ou=People,dc=example,dc=com > member: uid=mwhite,ou=People,dc=example,dc=com > member: uid=pshelton,ou=People,dc=example,dc=com > member: uid=rjensen,ou=People,dc=example,dc=com > member: uid=smason,ou=People,dc=example,dc=com > member: uid=tlabonte,ou=People,dc=example,dc=com > member: uid=tschmith,ou=People,dc=example,dc=com > ``` ## Static groups A LDAP static group (static group) *(tooltip: \

An entry enumerating member entries.\

)* entry enumerates the entries in the group. Static group entries grow as their membership increases. Large static groups are a performance bottleneck. If you have a choice, choose dynamic groups over static groups for these reasons: * Static group membership is defined in a separate, potentially large LDAP entry. Large static group entries are expensive to maintain, cache, and replicate. * Determining static group membership involves reading the group entry, or using virtual membership attributes. * Static group performance tends to decrease with size. Reading and updating the group entry becomes more expensive as group size grows. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------- | | | When working with static groups, also read [Group membership](#group-membership) and [Referential integrity](#referential-integrity). | Static group entries are based on one of the following standard object classes: * `groupOfNames` The `groupOfNames` object class requires at least one `member` attribute. Each value is the distinguished name of an entry. * `groupOfEntries` The `groupOfEntries` object class requires zero or more `member` attributes. * `groupOfUniqueNames` The `groupOfUniqueNames` object class has at least one `uniqueMember` attribute. Each value follows Name and Optional UID syntax. Name and Optional UID syntax values are a DN, optionally followed by `\#BitString`. The BitString, such as `'0101111101'B`, serves to distinguish the entry from another entry with the same DN, which can occur when the original entry was deleted and a new entry was created with the same DN. Like other LDAP attributes, each group member attribute value is unique. LDAP does not allow duplicate values for the same attribute on the same entry. | | | | - | ----------------------------------------------------------------------------------- | | | When creating a group entry, use `groupOfNames` or `groupOfEntries` where possible. | To create a static group, add a group entry such as the following to the directory: ```console $ ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=kvaughan,ou=People,dc=example,dc=com \ --bindPassword bribery << EOF dn: cn=My Static Group,ou=Groups,dc=example,dc=com cn: My Static Group objectClass: groupOfNames objectClass: top ou: Groups member: uid=ahunter,ou=People,dc=example,dc=com member: uid=bjensen,ou=People,dc=example,dc=com member: uid=tmorris,ou=People,dc=example,dc=com EOF ``` To change group membership, modify the values of the membership attribute: ```console $ ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=kvaughan,ou=People,dc=example,dc=com \ --bindPassword bribery << EOF dn: cn=My Static Group,ou=Groups,dc=example,dc=com changetype: modify add: member member: uid=scarter,ou=People,dc=example,dc=com EOF $ ldapsearch \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=kvaughan,ou=People,dc=example,dc=com \ --bindPassword bribery \ --baseDN dc=example,dc=com \ "(cn=My Static Group)" ``` > **Collapse: Show output** > > ``` > dn: cn=My Static Group,ou=Groups,dc=example,dc=com > objectClass: groupOfNames > objectClass: top > cn: My Static Group > member: uid=ahunter,ou=People,dc=example,dc=com > member: uid=bjensen,ou=People,dc=example,dc=com > member: uid=tmorris,ou=People,dc=example,dc=com > member: uid=scarter,ou=People,dc=example,dc=com > ou: Groups > ``` RFC 4519 says a `groupOfNames` entry must have at least one member. Although DS servers allow you to create a `groupOfNames` without members, strictly speaking, that behavior is not standard. Alternatively, you can use the `groupOfEntries` object class as shown in the following example: ```console $ ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=kvaughan,ou=People,dc=example,dc=com \ --bindPassword bribery << EOF dn: cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com cn: Initially Empty Static Group objectClass: groupOfEntries objectClass: top ou: Groups EOF $ ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=kvaughan,ou=People,dc=example,dc=com \ --bindPassword bribery << EOF dn: cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com changetype: modify add: member member: uid=ahunter,ou=People,dc=example,dc=com member: uid=bjensen,ou=People,dc=example,dc=com member: uid=tmorris,ou=People,dc=example,dc=com member: uid=scarter,ou=People,dc=example,dc=com EOF ``` ## Nested groups DS servers let you nest groups. The following example shows a group of groups of managers and administrators: ```console $ ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=kvaughan,ou=People,dc=example,dc=com \ --bindPassword bribery << EOF dn: cn=The Big Shots,ou=Groups,dc=example,dc=com cn: The Big Shots objectClass: groupOfNames objectClass: top ou: Groups member: cn=Accounting Managers,ou=groups,dc=example,dc=com member: cn=Directory Administrators,ou=Groups,dc=example,dc=com member: cn=HR Managers,ou=groups,dc=example,dc=com member: cn=PD Managers,ou=groups,dc=example,dc=com member: cn=QA Managers,ou=groups,dc=example,dc=com EOF ``` Although not shown in the example above, DS servers let you nest groups within nested groups. DS servers let you create dynamic groups of groups. The following example shows a group of other groups. The members of this group are themselves groups, not users: ```console $ ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=kvaughan,ou=People,dc=example,dc=com \ --bindPassword bribery << EOF dn: cn=Group of Groups,ou=Groups,dc=example,dc=com cn: Group of Groups objectClass: top objectClass: groupOfURLs ou: Groups memberURL: ldap:///ou=Groups,dc=example,dc=com??sub?ou=Groups EOF ``` Use the `isMemberOf` attribute to determine what groups a member belongs to, as described in [Group membership](#group-membership). The following example requests the groups that Kirsten Vaughan belongs to: ```console $ ldapsearch \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=kvaughan,ou=People,dc=example,dc=com \ --bindPassword bribery \ --baseDN dc=example,dc=com \ "(uid=kvaughan)" \ isMemberOf ``` > **Collapse: Show output** > > ``` > dn: uid=kvaughan,ou=People,dc=example,dc=com > isMemberOf: cn=Directory Administrators,ou=Groups,dc=example,dc=com > isMemberOf: cn=HR Managers,ou=groups,dc=example,dc=com > isMemberOf: cn=The Big Shots,ou=Groups,dc=example,dc=com > ``` Notice that Kirsten is a member of The Big Shots group. Notice also that Kirsten does not belong to the Group of Groups. The members of that group are groups, not users. The following example requests the groups that the directory administrators group belongs to: ```console $ ldapsearch \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=kvaughan,ou=People,dc=example,dc=com \ --bindPassword bribery \ --baseDN dc=example,dc=com \ "(cn=Directory Administrators)" \ isMemberOf ``` > **Collapse: Show output** > > ``` > dn: cn=Directory Administrators,ou=Groups,dc=example,dc=com > isMemberOf: cn=Group of Groups,ou=Groups,dc=example,dc=com > isMemberOf: cn=The Big Shots,ou=Groups,dc=example,dc=com > ``` The following example shows which groups each group belong to. The search is unindexed, and so is performed here with directory administrator credentials: ```console $ ldapsearch \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=admin \ --bindPassword password \ --baseDN dc=example,dc=com \ "(ou=Groups)" \ isMemberOf ``` > **Collapse: Show output** > > ``` > dn: ou=Groups,dc=example,dc=com > > dn: cn=Accounting Managers,ou=groups,dc=example,dc=com > isMemberOf: cn=The Big Shots,ou=Groups,dc=example,dc=com > isMemberOf: cn=Group of Groups,ou=Groups,dc=example,dc=com > > dn: cn=Directory Administrators,ou=Groups,dc=example,dc=com > isMemberOf: cn=The Big Shots,ou=Groups,dc=example,dc=com > isMemberOf: cn=Group of Groups,ou=Groups,dc=example,dc=com > > dn: cn=Group of Groups,ou=Groups,dc=example,dc=com > > dn: cn=HR Managers,ou=groups,dc=example,dc=com > isMemberOf: cn=The Big Shots,ou=Groups,dc=example,dc=com > isMemberOf: cn=Group of Groups,ou=Groups,dc=example,dc=com > > dn: cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com > isMemberOf: cn=Group of Groups,ou=Groups,dc=example,dc=com > > dn: cn=My Dynamic Group,ou=Groups,dc=example,dc=com > > dn: cn=My Static Group,ou=Groups,dc=example,dc=com > isMemberOf: cn=Group of Groups,ou=Groups,dc=example,dc=com > > dn: cn=PD Managers,ou=groups,dc=example,dc=com > isMemberOf: cn=The Big Shots,ou=Groups,dc=example,dc=com > isMemberOf: cn=Group of Groups,ou=Groups,dc=example,dc=com > > dn: cn=QA Managers,ou=groups,dc=example,dc=com > isMemberOf: cn=The Big Shots,ou=Groups,dc=example,dc=com > isMemberOf: cn=Group of Groups,ou=Groups,dc=example,dc=com > > dn: cn=The Big Shots,ou=Groups,dc=example,dc=com > isMemberOf: cn=Group of Groups,ou=Groups,dc=example,dc=com > ``` Notice that the group of groups is not a member of itself. ## Group membership DS servers let you verify which groups a user belongs to by reading their entry. The virtual `isMemberOf` attribute shows which groups a user is in. Reading the user entry is more efficient than reading large static group entries and checking the lists of members: ```console $ ldapsearch \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=kvaughan,ou=People,dc=example,dc=com \ --bindPassword bribery \ --baseDN dc=example,dc=com \ "(uid=bjensen)" \ isMemberOf ``` > **Collapse: Show output** > > ``` > dn: uid=bjensen,ou=People,dc=example,dc=com > isMemberOf: cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com > isMemberOf: cn=My Static Group,ou=Groups,dc=example,dc=com > isMemberOf: cn=My Dynamic Group,ou=Groups,dc=example,dc=com > isMemberOf: cn=Virtual Static,ou=Groups,dc=example,dc=com > isMemberOf: cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com > ``` You must request `isMemberOf` explicitly. For a dynamic group, you can check the membership directly on the candidate member's entry using the same search criteria as the dynamic group's member URL. ## Referential integrity When you delete or rename an entry that belongs to static groups, that entry's DN must be removed or changed in each group it belongs to. You can configure the server to resolve membership changes by enabling referential integrity. Referential integrity functionality is implemented as a plugin. The referential integrity plugin is disabled by default. To enable the plugin, use the `dsconfig` command: ```console $ dsconfig \ set-plugin-prop \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --plugin-name "Referential Integrity" \ --set enabled:true \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-prompt ``` With the plugin enabled, referential integrity resolves group membership automatically: ```console $ ldapsearch \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=kvaughan,ou=People,dc=example,dc=com \ --bindPassword bribery \ --baseDN dc=example,dc=com \ "(cn=My Static Group)" ``` > **Collapse: Show output** > > ``` > dn: cn=My Static Group,ou=Groups,dc=example,dc=com > objectClass: groupOfNames > objectClass: top > cn: My Static Group > member: uid=ahunter,ou=People,dc=example,dc=com > member: uid=bjensen,ou=People,dc=example,dc=com > member: uid=tmorris,ou=People,dc=example,dc=com > member: uid=scarter,ou=People,dc=example,dc=com > ou: Groups > ``` ```console $ ldapdelete \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=kvaughan,ou=People,dc=example,dc=com \ --bindPassword bribery \ uid=scarter,ou=People,dc=example,dc=com $ ldapsearch \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=kvaughan,ou=People,dc=example,dc=com \ --bindPassword bribery \ --baseDN dc=example,dc=com \ "(cn=My Static Group)" ``` > **Collapse: Show output** > > ``` > dn: cn=My Static Group,ou=Groups,dc=example,dc=com > objectClass: groupOfNames > objectClass: top > cn: My Static Group > member: uid=ahunter,ou=People,dc=example,dc=com > member: uid=bjensen,ou=People,dc=example,dc=com > member: uid=tmorris,ou=People,dc=example,dc=com > ou: Groups > ``` By default, the referential integrity plugin is configured to manage `member` and `uniqueMember` attributes. These attributes take values that are DNs, and are indexed for equality by default for the default backend. Before you add an additional attribute to manage, make sure that it has DN syntax and that it is indexed for equality. DS servers require indexes because an unindexed search can consume too many of the server's resources. For instructions on indexing attributes, refer to [Configure indexes](idx-config.html). Consider these settings when configuring the referential integrity plugin: * `check-references:true` checks that members' entries exist when added to a group. * `check-references-filter-criteria` lets your members' entries match an LDAP filter. For example, `check-references-filter-criteria:member:(objectclass=person)` checks that members are person entries. * `check-references-scope-criteria:naming-context` checks that members' entries are in the same naming context (base DN).