In the following example, consider the common case of an "All Users" group, which contains all entries under the parent DN "ou=People,dc=example,dc=com". When implemented as a virtual static group, this group may have a large membership set without incurring the overhead of a static group.

  1. First, create a dynamic group.
    dn: cn=Dynamic All Users,ou=Groups,dc=example,dc=com
    objectClass: top
    objectClass: groupOfURLs
    cn: Dynamic All Users
    memberURL: ldap:///ou=People,dc=example,dc=com??sub?(objectClass=person)
  2. Next, create a virtual static group that references the dynamic group.
    dn: cn=All Users,ou=Groups,dc=example,dc=com
    objectClass: top
    objectClass: groupOfUniqueNames
    objectClass: ds-virtual-static-group
    cn: All Users
    ds-target-group-dn: cn=Dynamic All Users,ou=Groups,dc=example,dc=com
  3. Finally, the Virtual Static uniqueMember virtual attribute must be enabled to populate the All Users group with uniqueMember virtual attributes.
    $ bin/dsconfig set-virtual-attribute-prop --name "Virtual Static uniqueMember" \
      --set enabled:true
  4. Confirm that the virtual static group is correctly configured by checking a user's membership in the group.
    $ bin/ldapsearch --baseDN "cn=All Users,ou=Groups,dc=example,dc=com" \
      --searchScope base "(uniqueMember=uid=user.0,ou=People,dc=example,dc=com)" 1.1
    dn: cn=All Users,ou=Groups,dc=example,dc=com
  5. The ability to list all members of a virtual static group is disabled by default. You may enable this feature, but only if specifically required by a client application.
    $ bin/dsconfig set-virtual-attribute-prop --name "Virtual Static uniqueMember" \
      --set allow-retrieving-membership: true
    Note: The virtual static group may also be implemented using the groupOfNames object class instead of groupOfUniqueNames. In that case, you must update the Virtual Static member configuration object instead of the Virtual Static uniqueMember configuration object.