Page created: 6 Nov 2019
|
Page updated: 25 Mar 2020
Dynamic groups contain a set of criteria used to identify members rather than maintaining an explicit list of group members. If a new user entry is created or if an existing entry is modified so that it matches the membership criteria, then the user will be considered a member of the dynamic group. Similarly, if a member’s entry is deleted or if it is modified so that it no longer matches the group criteria, then the user will no longer be considered a member of the dynamic group.
In the Directory Server, dynamic groups include the
groupOfURLs
structural object class and use the memberurl
attribute to provide an LDAP
URL that defines the membership criteria. The base, scope, and filter of the LDAP URL will be
used in the process of making the determination, and any other elements present in the URL
will be ignored. For example, the following entry defines a dynamic group in which all users
below dc=example,dc=com with an employeeType
value of
contractor will be considered members of the
group:dn: cn=Sales Group,ou=groups,dc=example,dc=com objectClass: top objectClass: groupOfURLs cn: Sales Group memberURL: ldap:///dc=example,dc=com??sub?(employeeType=contractor)
Assuming that less than 80,000 entries have the
employeeType
of contractor,
you need to create the following index definition to evaluate the dynamic
group:$ bin/dsconfig create-local-db-index --backend-name userRoot \ --index-name employeeType --set index-entry-limit:80000 \ --set index-type:equality