You can configure a dynamic group in the same manner as static groups using an LDIF file. Dynamic groups contain a membership list of attributes determined by search filter using an LDAP URL. You must use the groupOfURLs object class and the memberURL attribute.

To create a dynamic group:

  1. Assume that uid=user.15 is not part of any group. Use ldapsearch to verify that uid=user.15 is not part of any group. In a later step, we will add the user to the dynamic group.
    $ bin/ldapsearch --baseDN dc=example,dc=com --searchScope sub "(uid=user.15)" ou
    dn: uid=user.15,ou=People,dc=example,dc=com
  2. Assume for this example that uid=user.0 has an ou=Engineering attribute indicating that he or she is a member of the Engineering department.
    $ bin/ldapsearch --baseDN dc=example,dc=com --searchScope sub "(uid=user.0)" ou isMemberOf
    dn: uid=user.0,ou=People,dc=example,dc=com
    ou: Engineering
  3. Open a text editor, and then create a dynamic group entry in LDIF. The LDIF defines the dynamic group to include all users who have the ou=Engineering attribute. When done, save the file as add-dynamic-group.ldif.
    dn: cn=eng-staff,ou=groups,dc=example,dc=com 
    objectclass: top 
    objectclass: groupOfURLs 
    ou: groups
    cn: eng-staff 
    memberURL: ldap:///ou=People,dc=example,dc=com??sub?(ou=Engineering)
  4. Use ldapmodify to add the group entry to the server.
    $ bin/ldapmodify --defaultAdd --filename add-dynamic-group.ldif
  5. Use ldapsearch to specifically search the isMemberOf virtual attribute to determine if uid=user.0 is a member of the cn=Engineering group or any other group.
    $ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.0)" isMemberOf
    dn: uid=user.0,ou=People,dc=example,dc=com 
    isMemberOf: cn=eng-staff,ou=groups,dc=example,dc=com
  6. If your data is relatively small (under 1 million entries), you can search for all users in the group that meet the search criteria (ou=Engineering). For very large databases, it is not practical to run a database-wide search for all users as there can be a performance hit on the Directory Server. The following command returns the DNs of entries that are part of the cn=eng-staff dynamic group and sorts them in ascending order by the sn attribute.
    $ bin/ldapsearch --baseDN dc=example,dc=com --sortOrder sn \
      "(isMemberOf=cn=eng-staff,ou=groups,dc=example,dc=com)" dn
  7. Add uid=user.15 to the eng-staff group by adding an ou=Engineering attribute to the entry. This step highlights an advantage of dynamic groups: you can make a change in an entry without explicitly adding the DN to the group as you would with static groups. The entry will be automatically added to the eng-staff dynamic group.
    $ bin/ldapmodify 
    dn: uid=user.15,ou=People,dc=example,dc=com 
    changetype: modify 
    add: ou
    ou: Engineering
  8. Use ldapsearch to check if the user is part of the cn=eng-staff dynamic group.
    $ bin/ldapsearch --baseDN dc=example,dc=com --searchScope sub "(uid=user.15)" isMemberOf
    dn: uid=user.15,ou=People,dc=example,dc=com 
    isMemberOf: cn=eng-staff,ou=groups,dc=example,dc=com