1. Open a text editor, and then create a group entry in LDIF. Make sure to include the groupOfUniquenames object class and uniquemember attributes. If you did not have ou=groups set up in your server, then you can add it in the same file. When done, save the file as static-group.ldif. The following example LDIF file creates two groups, cn=Development and cn=QA.
    dn: ou=groups,dc=example,dc=com 
    objectclass: top 
    objectclass: organizationalunit 
    ou: groups
    dn: cn=Development,ou=groups,dc=example,dc=com
    objectclass: top 
    objectclass: groupOfUniqueNames 
    cn: Development
    ou: groups 
    uniquemember: uid=user.14,ou=People,dc=example,dc=com 
    uniquemember: uid=user.91,ou=People,dc=example,dc=com 
    uniquemember: uid=user.180,ou=People,dc=example,dc=com
    dn: cn=QA,ou=groups,dc=example,dc=com
    objectclass: top 
    objectclass: groupOfUniqueNames 
    cn: QA
    ou: groups 
    uniquemember: uid=user.0,ou=People,dc=example,dc=com 
    uniquemember: uid=user.1,ou=People,dc=example,dc=com 
    uniquemember: uid=user.2,ou=People,dc=example,dc=com
  2. Use ldapmodify to add the group entries to the server.
    $ bin/ldapmodify --defaultAdd --filename static-group.ldif
  3. Verify the configuration by using the virtual attribute isDirectMemberOf that checks membership for a non-nested group. By default, the virtual attribute is disabled by default, but you can enable it using dsconfig.
    $ bin/dsconfig set-virtual-attribute-prop --name isDirectMemberOf --set enabled:true
  4. Use ldapsearch to specifically search the isDirectMemberOf virtual attribute to determine if uid=user.14 is a member of the cn=Development group. In this example, assume that administrator has the privilege to view operational attributes.
    $ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.14)" isDirectMemberOf
    dn: uid=user.14,ou=People,dc=example,dc=com 
    isDirectMemberOf: cn=Development,ou=groups,dc=example,dc=com
  5. Typically, you would want to use the group as a target in access control instructions. Open a text editor, create an aci attribute in an LDIF file, and save the file as dev-group-aci.ldif. Add the file using the ldapmodify tool. You can create a similar ACI for the QA group, which is not shown in this example.
    dn: ou=People,dc=example,dc=com 
    changetype: modify 
    add: aci 
    aci: (target ="ldap:///ou=People,dc=example,dc=com")
      (targetattr != "cn || sn || uid")
      (targetfilter ="(ou=Development)")
      (version 3.0; acl "Dev Group Permissions";
        allow (write) (groupdn = "ldap:///cn=Development,ou=groups,dc=example,dc=com");)
  6. Add the file using the ldapmodify tool.
    $ bin/ldapmodify --filename dev-group-aci.ldif