PingDirectory Server can generate either
isMemberOf
or isDirectMemberOf
virtual attributes in user
entries.
The existence of static, nested, dynamic, and virtual static groups can make it complex to work with groups in the server because the ways you interact with them are so different. Static groups can use three different structural object classes, not counting the auxiliary class for virtual static groups, which can further complicate things. PingDirectory Server's virtual attributes simplify the group-related determination process for consistency across all types of groups.
The value of the isMemberOf
virtual attribute is a list of distinguished
names (DNs) of all groups, including static, nested, dynamic, and virtual static groups, in
which the associated user is a member. The value of the isDirectMemberOf
virtual attribute is a subset of the values of isMemberOf
, which
represents the groups for which the entry is an explicit or direct member. Both are enabled
by default.
Because isMemberOf
and isDirectMemberOf
are operational
attributes, only users who have been granted the privilege can see them. The default set of
access control rules do not allow any level of access to user data. The only access that is
granted is what is included in user-defined access control rules, which is generally given
to a uid=admin
administrator account. You should restrict access to
operational and non-operational attributes to the minimal set of users that need to see
them. The root bind DN, cn=Directory Manager
, has the privilege to view
operational attributes by default.
Determine if a user is a member of a specified group
To determine if a user is a member of a specified group using the
isMemberOf
virtual attribute, perform a base-level search against
the user's entry with an equality filter targeting the isMemberOf
attribute with a value that is the DN of the target group. The following table
illustrates this base-level search.
Base DN |
|
Scope |
|
Filter |
|
Requested Attributes |
|
If this search returns an entry, then the user is a member of the specified group. If no entry is returned, then the user is not a member of the given group.
Determine the set of all groups in which a user is a member
To determine the set of all groups in which a user is a member, retrieve the user's
entry with a base-level search and include the isMemberOf
attribute.
Base DN |
|
Scope |
|
Filter |
|
Requested attributes |
|
Determine the set of all members for a specified group
To determine the set of all members for a specified group, issue a subtree search with
an equality filter targeting the isMemberOf
attribute with a value that
is the DN of the target group and requesting the attributes you wish to have for member
entries.
Base DN |
|
Scope |
|
Filter |
|
Requested Attributes |
|
The isDirectMemberOf
virtual attribute can be used in the previous
examples in place of isMemberOf
if you only need to find groups that
users are an actual member of. You must use isMemberOf
for nested group
membership.
If this filter targets a dynamic group using an unindexed search, then this might be an expensive operation. However, it is not more expensive than retrieving the target group and then issuing a search based on information contained in the member URL.
For static groups, this approach has the added benefit of using a single search to retrieve information from all user entries. Otherwise, it would be required to retrieve the static group and then perform a separate search for each member's entry.