The existence of both static, nested, dynamic, and virtual static groups can make it unnecessarily complex to work with groups in the server, particularly because the ways you interact with them are so different. And the fact that static groups can use three different structural object classes (not counting the auxiliary class for virtual static groups) does not make things any easier.
To make group operations simpler, the PingDirectory Server provides the ability
to generate either an isMemberOf
and isDirectMemberOf
virtual attributes in user entries. These attributes dramatically simplify the process for
making group-related determinations in a manner that is consistent across all types of
groups.
The value of the isMemberOf
virtual attribute is a list of DNs of all groups
(including static, nested, dynamic, and virtual static groups) in which the associated user is
a member. The value of the isDirectMemberOf
virtual attribute is a subset of
the values of isMemberOf
, which represents the groups for which the entry is an explicit or
direct member. Both are enabled by default.
Because the isMemberOf
and isDirectMemberOf
are operational
attributes, only users who specifically have been granted the privilege can see it. The
default set of access control rules do not allow any level of access to user data. The only
access that is granted is what is included in user-defined access control rules, which is
generally given to a uid=admin
administrator account. It is always a best
practice to restrict access to operational and non-operational attributes to the minimal set
of users that need to see them. The root bind DN, cn=Directory Manager
, has
the privilege to view operational attributes by default.
isMemberOf
virtual attribute, simply perform a base-level search against
the user's entry with an equality filter targeting the isMemberOf
attribute
with a value that is the DN of the target group. The following table illustrates this simple base-level
search:Base DN | uid=john.doe,ou=People,dc=example,dc=com |
Scope | base |
Filter | (isMemberOf=cn=Test Group,ou=Groups,dc=example,dc=com) |
Requested Attributes | 1.1 |
If this search returns an entry, then the user is a member of the specified group. If no entry is returned, then the user is not a member of the given group.
isMemberOf
attribute:Base DN | uid=john.doe,ou=People,dc=example,dc=com |
Scope | base |
Filter | (objectclass=*) |
Requested Attributes | isMemberOf |
isMemberOf
attribute with a value that is the
DN of the target group and requesting the attributes you wish to have for member
entries:Base DN | ou=People,dc=example,dc=com |
Scope | sub |
Filter | (isMemberOf=cn=Test Group,ou=Groups,dc=example,dc=com) |
Requested Attributes | cn, mail |
isDirectMemberOf
virtual attribute can be used in the examples
above in place of isMemberOf
if you only need to find groups that users are
an actual member of. You must use isMemberOf
for nested group membership.Note that if this filter targets a dynamic group using an unindexed search, then this may be an expensive operation. However, it will not be any more expensive than retrieving the target group and then issuing a search based on information contained in the member URL.
For static groups, this approach has the added benefit of using a single search to retrieve information from all user entries, whereas it would otherwise be required to retrieve the static group and then perform a separate search for each member's entry.