To create a static group:

  1. Open a text editor and create a group entry in LDIF.
    1. Include the groupOfUniquenames object class and uniquemember attributes.
    2. Optional: If you did not have ou=groups set up in your server, add it in the same file.
    3. Save the file.

    In the following example, the file is named static-group.ldif.

    This example LDIF file creates two groups: cn=Development and cn=QA.

    dn: ou=groups,dc=example,dc=com
    objectclass: top
    objectclass: organizationalunit
    ou: groups
    dn: cn=Development,ou=groups,dc=example,dc=com
    objectclass: top
    objectclass: groupOfUniqueNames
    cn: Development
    ou: groups
    uniquemember: uid=user.14,ou=People,dc=example,dc=com
    uniquemember: uid=user.91,ou=People,dc=example,dc=com
    uniquemember: uid=user.180,ou=People,dc=example,dc=com
    dn: cn=QA,ou=groups,dc=example,dc=com
    objectclass: top
    objectclass: groupOfUniqueNames
    cn: QA
    ou: groups
    uniquemember: uid=user.0,ou=People,dc=example,dc=com
    uniquemember: uid=user.1,ou=People,dc=example,dc=com
    uniquemember: uid=user.2,ou=People,dc=example,dc=com
  2. To add the group entries to the server, use the ldapmodify tool.
    $ bin/ldapmodify --defaultAdd --filename static-group.ldif
  3. To verify the configuration, use the virtual attribute isDirectMemberOf that checks membership for a non-nested group.

    The virtual attribute is disabled by default, but you can enable it using dsconfig.

    $ bin/dsconfig set-virtual-attribute-prop --name isDirectMemberOf --set enabled:true
  4. To determine if a user is a member of a certain group, use ldapsearch to search the isDirectMemberOf virtual attribute.

    This example inquires if uid=user.14 is a member of the cn=Development group.

    This example assumes that the administrator has the privilege to view operational attributes.

    $ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.14)" isDirectMemberOf
    dn: uid=user.14,ou=People,dc=example,dc=com
    isDirectMemberOf: cn=Development,ou=groups,dc=example,dc=com
  5. Use the group as a target in access control instructions (ACI).
    1. Open a text editor and create an aci attribute in an LDIF file.
    2. Save the file.
    3. To add the file, use the ldapmodify tool.

    In this example, the file is named dev-group-aci.ldif.

    dn: ou=People,dc=example,dc=com
    changetype: modify
    add: aci
    aci: (target ="ldap:///ou=People,dc=example,dc=com")
      (targetattr != "cn || sn || uid")
      (targetfilter ="(ou=Development)")
      (version 3.0; acl "Dev Group Permissions";
        allow (write) (groupdn = "ldap:///cn=Development,ou=groups,dc=example,dc=com");)

    You can create a similar ACI for the QA group, which is not shown in the previous example, but is shown in the example for step 1.

  6. To add the file, use the ldapmodify tool.
    $ bin/ldapmodify --filename dev-group-aci.ldif