To create a static group:
-
Open a text editor and create a group entry in LDIF.
-
Include the
groupOfUniquenames
object class anduniquemember
attributes. - Optional: If you did not have ou=groups set up in your server, add it in the same file.
- Save the file.
In the following example, the file is named static-group.ldif.
This example LDIF file creates two groups:
cn=Development
andcn=QA
.dn: ou=groups,dc=example,dc=com objectclass: top objectclass: organizationalunit ou: groups dn: cn=Development,ou=groups,dc=example,dc=com objectclass: top objectclass: groupOfUniqueNames cn: Development ou: groups uniquemember: uid=user.14,ou=People,dc=example,dc=com uniquemember: uid=user.91,ou=People,dc=example,dc=com uniquemember: uid=user.180,ou=People,dc=example,dc=com dn: cn=QA,ou=groups,dc=example,dc=com objectclass: top objectclass: groupOfUniqueNames cn: QA ou: groups uniquemember: uid=user.0,ou=People,dc=example,dc=com uniquemember: uid=user.1,ou=People,dc=example,dc=com uniquemember: uid=user.2,ou=People,dc=example,dc=com
-
Include the
-
To add the group entries to the server, use the ldapmodify
tool.
$ bin/ldapmodify --defaultAdd --filename static-group.ldif
-
To verify the configuration, use the virtual attribute
isDirectMemberOf
that checks membership for a non-nested group.The virtual attribute is disabled by default, but you can enable it using dsconfig.
$ bin/dsconfig set-virtual-attribute-prop --name isDirectMemberOf --set enabled:true
-
To determine if a user is a member of a certain group, use
ldapsearch to search the
isDirectMemberOf
virtual attribute.This example inquires if
uid=user.14
is a member of thecn=Development
group.This example assumes that the administrator has the privilege to view operational attributes.
$ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.14)" isDirectMemberOf
dn: uid=user.14,ou=People,dc=example,dc=com isDirectMemberOf: cn=Development,ou=groups,dc=example,dc=com
-
Use the group as a target in access control instructions (ACI).
-
Open a text editor and create an
aci
attribute in an LDIF file. - Save the file.
- To add the file, use the ldapmodify tool.
In this example, the file is named dev-group-aci.ldif.
dn: ou=People,dc=example,dc=com changetype: modify add: aci aci: (target ="ldap:///ou=People,dc=example,dc=com") (targetattr != "cn || sn || uid") (targetfilter ="(ou=Development)") (version 3.0; acl "Dev Group Permissions"; allow (write) (groupdn = "ldap:///cn=Development,ou=groups,dc=example,dc=com");)
Note:You can create a similar ACI for the QA group, which is not shown in the previous example, but is shown in the example for step 1.
-
Open a text editor and create an
-
To add the file, use the ldapmodify tool.
$ bin/ldapmodify --filename dev-group-aci.ldif