Page created: 6 Nov 2019
|
Page updated: 25 Mar 2020
| 2 min read
8.0 Product PingDirectory Product documentation Content Type Administration User task Administrator Audience IT Administrator Software Deployment Method Directory Capability
-
Open a text editor, and then create a group entry in LDIF. Make sure to include
the
groupOfUniquenames
object class anduniquemember
attributes. If you did not have ou=groups set up in your server, then you can add it in the same file. When done, save the file as static-group.ldif. The following example LDIF file creates two groups,cn=Development
andcn=QA
.dn: ou=groups,dc=example,dc=com objectclass: top objectclass: organizationalunit ou: groups dn: cn=Development,ou=groups,dc=example,dc=com objectclass: top objectclass: groupOfUniqueNames cn: Development ou: groups uniquemember: uid=user.14,ou=People,dc=example,dc=com uniquemember: uid=user.91,ou=People,dc=example,dc=com uniquemember: uid=user.180,ou=People,dc=example,dc=com dn: cn=QA,ou=groups,dc=example,dc=com objectclass: top objectclass: groupOfUniqueNames cn: QA ou: groups uniquemember: uid=user.0,ou=People,dc=example,dc=com uniquemember: uid=user.1,ou=People,dc=example,dc=com uniquemember: uid=user.2,ou=People,dc=example,dc=com
-
Use ldapmodify to add the group entries to the server.
$ bin/ldapmodify --defaultAdd --filename static-group.ldif
-
Verify the configuration by using the virtual attribute
isDirectMemberOf
that checks membership for a non-nested group. By default, the virtual attribute is disabled by default, but you can enable it using dsconfig.$ bin/dsconfig set-virtual-attribute-prop --name isDirectMemberOf --set enabled:true
-
Use ldapsearch to specifically search the
isDirectMemberOf
virtual attribute to determine if uid=user.14 is a member of the cn=Development group. In this example, assume that administrator has the privilege to view operational attributes.$ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.14)" isDirectMemberOf
dn: uid=user.14,ou=People,dc=example,dc=com isDirectMemberOf: cn=Development,ou=groups,dc=example,dc=com
-
Typically, you would want to use the group as a target in access control
instructions. Open a text editor, create an
aci
attribute in an LDIF file, and save the file as dev-group-aci.ldif. Add the file using the ldapmodify tool. You can create a similar ACI for the QA group, which is not shown in this example.dn: ou=People,dc=example,dc=com changetype: modify add: aci aci: (target ="ldap:///ou=People,dc=example,dc=com") (targetattr != "cn || sn || uid") (targetfilter ="(ou=Development)") (version 3.0; acl "Dev Group Permissions"; allow (write) (groupdn = "ldap:///cn=Development,ou=groups,dc=example,dc=com");)
-
Add the file using the ldapmodify tool.
$ bin/ldapmodify --filename dev-group-aci.ldif