Page created: 24 Jul 2019
|
Page updated: 6 Nov 2019
| 2 min read
7.3 Product PingDirectory
-
Assume that
uid=user.15
is not part of any group. Use ldapsearch to verify thatuid=user.15
is not part of any group. In a later step, we will add the user to the dynamic group.$ bin/ldapsearch --baseDN dc=example,dc=com --searchScope sub "(uid=user.15)" ou
dn: uid=user.15,ou=People,dc=example,dc=com
-
Assume for this example that
uid=user.0
has anou=Engineering
attribute indicating that he or she is a member of the Engineering department.$ bin/ldapsearch --baseDN dc=example,dc=com --searchScope sub "(uid=user.0)" ou isMemberOf
dn: uid=user.0,ou=People,dc=example,dc=com ou: Engineering
-
Open a text editor, and then create a dynamic group entry in LDIF. The LDIF
defines the dynamic group to include all users who have the
ou=Engineering
attribute. When done, save the file asadd-dynamic-group.ldif
.dn: cn=eng-staff,ou=groups,dc=example,dc=com objectclass: top objectclass: groupOfURLs ou: groups cn: eng-staff memberURL: ldap:///ou=People,dc=example,dc=com??sub?(ou=Engineering)
-
Use ldapmodify to add the group entry to the server.
$ bin/ldapmodify --defaultAdd --filename add-dynamic-group.ldif
-
Use ldapsearch to specifically search the
isMemberOf
virtual attribute to determine if uid=user.0 is a member of the cn=Engineering group or any other group.$ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.0)" isMemberOf
dn: uid=user.0,ou=People,dc=example,dc=com isMemberOf: cn=eng-staff,ou=groups,dc=example,dc=com
-
If your data is relatively small (under 1 million entries), you can search for
all users in the group that meet the search criteria
(
ou=Engineering
). For very large databases, it is not practical to run a database-wide search for all users as there can be a performance hit on the Directory Server. The following command returns the DNs of entries that are part of the cn=eng-staff dynamic group and sorts them in ascending order by thesn
attribute.$ bin/ldapsearch --baseDN dc=example,dc=com --sortOrder sn \ "(isMemberOf=cn=eng-staff,ou=groups,dc=example,dc=com)" dn
-
Add uid=user.15 to the
eng-staff
group by adding an ou=Engineering attribute to the entry. This step highlights an advantage of dynamic groups: you can make a change in an entry without explicitly adding the DN to the group as you would with static groups. The entry will be automatically added to the eng-staff dynamic group.$ bin/ldapmodify dn: uid=user.15,ou=People,dc=example,dc=com changetype: modify add: ou ou: Engineering
-
Use ldapsearch to check if the user is part of the
cn=eng-staff dynamic group.
$ bin/ldapsearch --baseDN dc=example,dc=com --searchScope sub "(uid=user.15)" isMemberOf
dn: uid=user.15,ou=People,dc=example,dc=com isMemberOf: cn=eng-staff,ou=groups,dc=example,dc=com