If your application only supports static groups but has scalability issues, then using a virtual static group could be a possible solution. A virtual static group uses a virtual attribute that is dynamically generated when called after which the operations that determine group membership are passed to another group, such as a dynamic group. You must use the ds-virtual-static-group object class and the ds-target-group-dn virtual attribute.

Virtual static groups are best used when determining if a single user is a member of a group. It is not a good solution if an application accesses the full list of group members due to the performance expense at constructing the list. If you have a small database and an application that requires that the full membership list be returned, you must also enable the allow-retrieving-membership property for the Virtual Static uniqueMember virtual attribute using the dsconfig tool.

To create a virtual static group:

  1. Open a text editor, and then create a group entry in LDIF. The entry contains the groupOfUniqueNames object class, but in place of the uniquemember attribute is the ds-target-group-dn virtual attribute, which is part of the ds-virtual-static-group auxiliary object class. When done, save the file as add-virtual-static-group.ldif.
    dn: cn=virtualstatic,ou=groups,dc=example,dc=com 
    objectclass: top 
    objectclass: groupOfUniqueNames 
    objectclass: ds-virtual-static-group
    ou: groups 
    cn: virtual static 
    ds-target-group-dn: cn=eng-staff,ou=groups,dc=example,dc=com
  2. Use ldapmodify to add the virtual static group entry to the server.
    $ bin/ldapmodify -h server1.example.com -p 389 -D "uid=admin,dc=example,dc=com" \
      -w password -a -f add-virtual-static-group.ldif
  3. Use dsconfig to enable the Virtual Static uniqueMember attribute, which is disabled by default.
    $ bin/dsconfig set-virtual-attribute-prop --name "Virtual Static uniqueMember" \
      --set enabled:true
  4. In the previous section, we set up uid=user.0 to be part of the cn=eng-staff dynamic group. Use ldapsearch with the isMemberOf virtual attribute to determine if uid=user.0 is part of the virtual static group.
    $ bin/ldapsearch -h server1.example.com -p 389 -D "cn=Directory Manager" \
      -w secret -b dc=example,dc=com" "(uid=user.0)" isMemberOf
    dn: uid=user.0,ou=People,dc=example,dc=com 
    isMemberOf: cn=virtualstatic,ou=groups,dc=example,dc=com 
    isMemberOf: cn=eng-staff,ou=groups,dc=example,dc=com
  5. Use ldapsearch to determine if uid=user.0 is a member of the virtual static group. You should see the returned cn=virtualstatic entry if successful.
    $ ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password \
      -b "cn=virtualStatic,ou=Groups,dc=example,dc=com" \ 
      "(&(objectclass=groupOfUniqueNames) \ 
      (uniquemember=uid=user.0,ou=People,dc=example,dc=com))"
  6. Next, try searching for a user that is not part of the cn=eng-staff dynamic group (e.g., uid=user.20), nothing will be returned.
    $ ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password \ 
      -b "cn=virtualStatic,ou=Groups,dc=example,dc=com" \ 
      "(&(objectclass=groupOfUniqueNames) \
      (uniquemember=uid=user.20,ou=People,dc=example,dc=com))"