Page created: 6 Nov 2019
|
Page updated: 25 Mar 2020
| 2 min read
8.0 Product PingDirectory Product documentation Content Type Administration User task Administrator Audience IT Administrator Software Deployment Method Directory Capability
-
The following example shows how to set up a nested static group, which is a
static group that contains
uniquemember
attributes whose values contain other groups (static, virtual static, or dynamic). Open a text editor, and then create a group entry in LDIF. Make sure to include thegroupOfUniquenames
object class anduniquemember
attributes. If you did not haveou=groups
set up in your server, then you can add it in the same file. When done, save the file as nested-group.ldif. Assume that the static groups,cn=Developers Group
andcn=QA Group
, have been configured.dn: ou=groups,dc=example,dc=com objectclass: top objectclass: organizationalunit ou: groups dn: cn=Engineering Group,ou=groups,dc=example,dc=com objectclass: top objectclass: groupOfUniqueNames cn: Engineering Group uniquemember: cn=Developers,ou=groups,dc=example,dc=com uniquemember: cn=QA,ou=groups,dc=example,dc=com
-
Use ldapmodify to add the group entry.
$ bin/ldapmodify --defaultAdd --filename nested-static-group.ldif
-
Verify the configuration by using the
isMemberOf
virtual attribute that checks the group membership for an entry. By default, the virtual attribute is enabled. Use ldapsearch to specifically search theisMemberOf
virtual attribute to determine ifuid=user.14
is a member of thecn=Development
group. In this example, assume that the administrator has the privilege to view operational attributes.$ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.14)" isMemberOf dn: uid=user.14,ou=People,dc=example,dc=com isMemberOf: cn=Development,ou=groups,dc=example,dc=com
-
Typically, you would want to use the group as a target in access control
instructions. Open a text editor, create an ACI in LDIF, and save the file as
eng-group-aci.ldif.
dn: ou=People,dc=example,dc=com changetype: modify add: aci aci: (target ="ldap:///ou=People,dc=example,dc=com") (targetattr != "cn || sn || uid") (targetfilter ="(ou=Engineering Group)") (version 3.0; acl "Engineering Group Permissions"; allow (write) (groupdn = "ldap:///cn=Engineering Group,ou=groups,dc=example,dc=com");)
-
Add the file using the ldapmodify tool.
$ bin/ldapmodify --filename eng-group-aci.ldif
Note: When nesting dynamic groups, you cannot include other groups as members of a dynamic group. You can only support "nesting" by including the members of another group with a filter in the member URL. For example, if you have two groupscn=dynamic1
andcn=dynamic2
, you can nest one group in another by specifying it in the member URL as follows:cn=dynamic1,ou=groups,dc=example,dc=com objectClass: top objectClass: groupOfURLs memberURL: ldap:///dc=example,dc=com??sub?(isMemberOf=cn=dynamic2,ou=groups,dc=example,dc=com)
The members included from the other group using this method are not considered "nested" members and will be returned even when usingisDirectMemberOf
when retrieving the members.