Dynamic groups contain a membership list of attributes determined by search filter using an LDAP URL. You must use the groupOfURLs object class and the memberURL attribute.

  1. Use ldapsearch to verify that uid=user.15 is not part of any group.
    1. Assume that uid=user.15 is not part of any group.

      You add the user to the dynamic group in a later step.

      dn: uid=user.15,ou=People,dc=example,dc=com
    2. Assume for this example that uid=user.0 has an ou=Engineering attribute indicating that he or she is a member of the engineering department.
      $ bin/ldapsearch --baseDN dc=example,dc=com --searchScope sub "(uid=user.0)" ou isMemberOf
      dn: uid=user.0,ou=People,dc=example,dc=com
      ou: Engineering
    $ bin/ldapsearch --baseDN dc=example,dc=com --searchScope sub "(uid=user.15)" ou
  2. Open a text editor, and then create a dynamic group entry in LDIF. Save the file as add-dynamic-group.ldif.

    The LDIF defines the dynamic group to include all users who have the ou=Engineering attribute.

    dn: cn=eng-staff,ou=groups,dc=example,dc=com
    objectclass: top
    objectclass: groupOfURLs
    ou: groups
    cn: eng-staff
    memberURL: ldap:///ou=People,dc=example,dc=com??sub?(ou=Engineering)
  3. Use ldapmodify to add the group entry to the server.
    $ bin/ldapmodify --defaultAdd --filename add-dynamic-group.ldif
  4. Use ldapsearch to specifically search the isMemberOf virtual attribute to determine if uid=user.0 is a member of the cn=Engineering group or any other group.
    $ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.0)" isMemberOf
    dn: uid=user.0,ou=People,dc=example,dc=com
    isMemberOf: cn=eng-staff,ou=groups,dc=example,dc=com
  5. Run the following command to return the DNs of entries that are part of the cn=eng-staff dynamic group and sort them in ascending order by the sn attribute.

    If your data is relatively small (under 1 million entries), you can search for all users in the group that meet the search criteria (ou=Engineering). For larger databases, it is not practical to run a database-wide search for all users as there can be a performance hit on the PingDirectory server.

    $ bin/ldapsearch --baseDN dc=example,dc=com --sortOrder sn \
      "(isMemberOf=cn=eng-staff,ou=groups,dc=example,dc=com)" dn
  6. Add uid=user.15 to the eng-staff group by adding an ou=Engineering attribute to the entry.

    This step highlights an advantage of dynamic groups: you can make a change in an entry without explicitly adding the DN to the group as you would with static groups. The entry is automatically added to the eng-staff dynamic group.

    $ bin/ldapmodify
    dn: uid=user.15,ou=People,dc=example,dc=com
    changetype: modify
    add: ou
    ou: Engineering
  7. Use ldapsearch to check if the user is part of the cn=eng-staff dynamic group.
    $ bin/ldapsearch --baseDN dc=example,dc=com --searchScope sub "(uid=user.15)" isMemberOf
    dn: uid=user.15,ou=People,dc=example,dc=com
    isMemberOf: cn=eng-staff,ou=groups,dc=example,dc=com