Because virtual static groups behave like static groups, the process for determining whether a user is a member of a virtual static group is identical to that of a member in a static group. Similarly, the process for determining all virtual static groups in which a user is a member is basically the same as the process as that of real static groups in which a user is a member. In fact, the query provided in the static groups discussion returns virtual static groups in addition to real static groups, because the structural object class of a virtual static group is the same as the structural object class for a static group.
member
or
uniqueMember
attribute of the desired group. However, because virtual
static groups are backed by dynamic groups and the process for retrieving member information
for dynamic groups can be expensive, virtual static groups do not allow retrieving the full
set of members by default. The virtual attribute used to expose membership can be updated to
allow this with a configuration change such as the
following:$ bin/dsconfig set-virtual-attribute-prop --name "Virtual Static member" \ --set allow-retrieving-membership:true
Because this can be an expensive operation, we recommend that the option to allow retrieving virtual static group membership be left disabled unless it is required.