To create a static group:

  1. Open a text editor and create a group entry in LDIF.
    1. Include the groupOfUniquenames object class and uniquemember attributes.
    2. Optional: If you did not have ou=groups set up in your server, add it in the same file.
    3. Save the file.

    In the following example, the file is named static-group.ldif.

    This example LDIF file creates two groups: cn=Development and cn=QA.

    dn: ou=groups,dc=example,dc=com 
    objectclass: top 
    objectclass: organizationalunit 
    ou: groups
    
    dn: cn=Development,ou=groups,dc=example,dc=com
    objectclass: top 
    objectclass: groupOfUniqueNames 
    cn: Development
    ou: groups 
    uniquemember: uid=user.14,ou=People,dc=example,dc=com 
    uniquemember: uid=user.91,ou=People,dc=example,dc=com 
    uniquemember: uid=user.180,ou=People,dc=example,dc=com
    
    dn: cn=QA,ou=groups,dc=example,dc=com
    objectclass: top 
    objectclass: groupOfUniqueNames 
    cn: QA
    ou: groups 
    uniquemember: uid=user.0,ou=People,dc=example,dc=com 
    uniquemember: uid=user.1,ou=People,dc=example,dc=com 
    uniquemember: uid=user.2,ou=People,dc=example,dc=com
  2. To add the group entries to the server, use the ldapmodify tool.
    $ bin/ldapmodify --defaultAdd --filename static-group.ldif
  3. To verify the configuration, use the virtual attribute isDirectMemberOf that checks membership for a non-nested group.

    The virtual attribute is disabled by default, but you can enable it using dsconfig.

    $ bin/dsconfig set-virtual-attribute-prop --name isDirectMemberOf --set enabled:true
  4. To determine if a user is a member of a certain group, use ldapsearch to search the isDirectMemberOf virtual attribute.

    This example inquires if uid=user.14 is a member of the cn=Development group.

    This example assumes that the administrator has the privilege to view operational attributes.

    $ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.14)" isDirectMemberOf
    dn: uid=user.14,ou=People,dc=example,dc=com 
    isDirectMemberOf: cn=Development,ou=groups,dc=example,dc=com
  5. Use the group as a target in access control instructions (ACI).
    1. Open a text editor and create an aci attribute in an LDIF file.
    2. Save the file.
    3. To add the file, use the ldapmodify tool.

    In this example, the file is named dev-group-aci.ldif.

    dn: ou=People,dc=example,dc=com 
    changetype: modify 
    add: aci 
    aci: (target ="ldap:///ou=People,dc=example,dc=com")
      (targetattr != "cn || sn || uid")
      (targetfilter ="(ou=Development)")
      (version 3.0; acl "Dev Group Permissions";
        allow (write) (groupdn = "ldap:///cn=Development,ou=groups,dc=example,dc=com");)
    Note:

    You can create a similar ACI for the QA group, which is not shown in the previous example, but is shown in the example for step 1.

  6. To add the file, use the ldapmodify tool.
    $ bin/ldapmodify --filename dev-group-aci.ldif