The existence of static, nested, dynamic, and virtual static groups can make it complex to work with groups in the server because the ways you interact with them are so different. Static groups can use three different structural object classes, not counting the auxiliary class for virtual static groups, which can further complicate things. PingDirectory Server's virtual attributes simplify the group-related determination process for consistency across all types of groups.

The value of the isMemberOf virtual attribute is a list of distinguished names (DNs) of all groups, including static, nested, dynamic, and virtual static groups, in which the associated user is a member. The value of the isDirectMemberOf virtual attribute is a subset of the values of isMemberOf, which represents the groups for which the entry is an explicit or direct member. Both are enabled by default.

Because isMemberOf and isDirectMemberOf are operational attributes, only users who have been granted the privilege can see them. The default set of access control rules do not allow any level of access to user data. The only access that is granted is what is included in user-defined access control rules, which is generally given to a uid=admin administrator account. You should restrict access to operational and non-operational attributes to the minimal set of users that need to see them. The root bind DN, cn=Directory Manager, has the privilege to view operational attributes by default.

Determine if a user is a member of a specified group

To determine if a user is a member of a specified group using the isMemberOf virtual attribute, perform a base-level search against the user's entry with an equality filter targeting the isMemberOf attribute with a value that is the DN of the target group. The following table illustrates this base-level search.

Base DN

uid=john.doe,ou=People,dc=example,dc=com

Scope

base

Filter

(isMemberOf=cn=Test Group,ou=Groups,dc=example,dc=com)

Requested Attributes

1.1

If this search returns an entry, then the user is a member of the specified group. If no entry is returned, then the user is not a member of the given group.

Determine the set of all groups in which a user is a member

To determine the set of all groups in which a user is a member, retrieve the user's entry with a base-level search and include the isMemberOf attribute.

Base DN

uid=john.doe,ou=People,dc=example,dc=com

Scope

base

Filter

(objectclass=*)

Requested attributes

isMemberOf

Determine the set of all members for a specified group

To determine the set of all members for a specified group, issue a subtree search with an equality filter targeting the isMemberOf attribute with a value that is the DN of the target group and requesting the attributes you wish to have for member entries.

Base DN

ou=People,dc=example,dc=com

Scope

sub

Filter

(isMemberOf=cn=Test Group,ou=Groups,dc=example,dc=com)

Requested Attributes

cn, mail

The isDirectMemberOf virtual attribute can be used in the previous examples in place of isMemberOf if you only need to find groups that users are an actual member of. You must use isMemberOf for nested group membership.

Note:

If this filter targets a dynamic group using an unindexed search, then this might be an expensive operation. However, it is not more expensive than retrieving the target group and then issuing a search based on information contained in the member URL.

For static groups, this approach has the added benefit of using a single search to retrieve information from all user entries. Otherwise, it would be required to retrieve the static group and then perform a separate search for each member's entry.