In many cases, electing to use virtual static groups in place of static groups can produce marked performance gains without any need to update client applications. The specifics of a migration to virtual static groups varies depending on the original DIT, but the general approach involves identifying common membership traits for all members of each group and then expressing those traits in the form of an LDAP URL.
In the following example, the common membership trait for all members of the All Users
group is the parent DN ou=People,dc=example,dc=com. In other cases, a common attribute
may need to be used. For example, groups based on the location of its members could use
l (location) or
st (state) attribute.
In the following example, consider the common case of an "All Users" group, which contains all entries under the parent DN "ou=People,dc=example,dc=com". When implemented as a virtual static group, this group may have a large membership set without incurring the overhead of a static group.
To migrate dsee static groups to virtual static groups:
First, create a dynamic group.
dn: cn=Dynamic All Users,ou=Groups,dc=example,dc=com objectClass: top objectClass: groupOfURLs cn: Dynamic All Users memberURL: ldap:///ou=People,dc=example,dc=com??sub?(objectClass=person)
Next, create a virtual static group that references the dynamic group.
dn: cn=All Users,ou=Groups,dc=example,dc=com objectClass: top objectClass: groupOfUniqueNames objectClass: ds-virtual-static-group cn: All Users ds-target-group-dn: cn=Dynamic All Users,ou=Groups,dc=example,dc=com
Virtual Static uniqueMembervirtual attribute must be enabled to populate the All Users group with
$ bin/dsconfig set-virtual-attribute-prop --name "Virtual Static uniqueMember" \ --set enabled:true
Confirm that the virtual static group is correctly configured by checking a user's
membership in the group.
$ bin/ldapsearch --baseDN "cn=All Users,ou=Groups,dc=example,dc=com" \ --searchScope base "(uniqueMember=uid=user.0,ou=People,dc=example,dc=com)" 1.1
dn: cn=All Users,ou=Groups,dc=example,dc=com
The ability to list all members of a virtual static group is disabled by default.
You may enable this feature, but only if specifically required by a client
$ bin/dsconfig set-virtual-attribute-prop --name "Virtual Static uniqueMember" \ --set allow-retrieving-membership: trueNote: The virtual static group may also be implemented using the
groupOfNamesobject class instead of
groupOfUniqueNames. In that case, you must update the
Virtual Static memberconfiguration object instead of the
Virtual Static uniqueMemberconfiguration object.