51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! CCPL HEADER START
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! This work is licensed under the Creative Commons
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! To view a copy of this license, visit
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! or send a letter to Creative Commons, 444 Castro Street,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Suite 900, Mountain View, California, 94041, USA.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! You can also obtain a copy of the license at
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! See the License for the specific language governing permissions
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! and limitations under the License.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! If applicable, add the following below this CCPL HEADER, with the fields
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! enclosed by brackets "[]" replaced with your own identifying information:
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Portions Copyright [yyyy] [name of copyright owner]
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! CCPL HEADER END
08248b5c5b494aff8d1922e8e0b5777796d7450dmark ! Copyright 2011-2014 ForgeRock AS
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ supports several methods of grouping entries in the directory.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Static groups list their members, whereas dynamic groups look up their
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark membership based on an LDAP filter. OpenDJ also supports virtual static
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark groups, which uses a dynamic group style definition, but allows applications
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to list group members as if the group were static.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>When listing entries in static groups, you must also have a mechanism
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark for removing entries from the list when they are deleted or modified in ways
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark that end their membership. OpenDJ makes that possible with
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <emphasis>referential integrity</emphasis> functionality.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This chapter demonstrates how to work with groups.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The examples in this chapter assume that an
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>ou=Groups,dc=example,dc=com</literal> entry already exists. If you
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark imported data from <link xlink:href="http://opendj.forgerock.org/Example.ldif"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:show="new">Example.ldif</link>, then you already have the entry. If you
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark generated data during setup and did not create an organizational unit for
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark groups yet, create the entry before you try the examples.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --defaultAdd \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: ou=Groups,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: organizationalunit
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top
08248b5c5b494aff8d1922e8e0b5777796d7450dmark</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing ADD request for ou=Groups,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkADD operation successful for DN ou=Groups,dc=example,dc=com</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>A <firstterm>static group</firstterm> is expressed as an entry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark that enumerates all the entries that belong to the group. Static group
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark entries grow as their membership increases.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Static group entries can take the standard object class
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>groupOfNames</literal> where each <literal>member</literal>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attribute value is a distinguished name of an entry, or
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>uniqueMember</literal> attribute value has Name and Optional UID
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark syntax.<footnote><para>Name and Optional UID syntax values are a DN optionally
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark followed by <literal>#<replaceable>BitString</replaceable></literal>. The
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <replaceable>BitString</replaceable>, such as <literal>'0101111101'B</literal>,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark serves to distinguish the entry from another entry having the same DN, which
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark can occur when the original entry was deleted and a new entry created with the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>member</literal> and <literal>uniqueMember</literal> attributes take
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark sets of unique values.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Static group entries can also have the object class
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>groupOfNames</literal> except that it is designed to allow
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark groups not to have members.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>When creating a group entry, use <literal>groupOfNames</literal> or
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>groupOfEntries</literal> where possible.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>To create a static group, add a group entry such as the following
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to the directory.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: cn=My Static Group,ou=Groups,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkcn: My Static Group
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: groupOfNames
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=ahunter,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=bjensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=tmorris,ou=People,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmark</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --defaultAdd \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing ADD request for cn=My Static Group,ou=Groups,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkADD operation successful for DN cn=My Static Group,ou=Groups,dc=example,dc=com</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>To change group membership, modify the values of the membership
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attribute.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: cn=My Static Group,ou=Groups,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkchangetype: modify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkadd: member
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=scarter,ou=People,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmark</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing MODIFY request for cn=My Static Group,ou=Groups,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkMODIFY operation successful for DN
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark cn=My Static Group,ou=Groups,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmark</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN dc=example,dc=com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark "(cn=My Static Group)"</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: cn=My Static Group,ou=Groups,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: groupOfNames
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=ahunter,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=bjensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=tmorris,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=scarter,ou=People,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkcn: My Static Group</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>RFC 4519 says a <literal>groupOfNames</literal> entry must have
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark at least one member. Although OpenDJ allows you to create a
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>groupOfNames</literal> without members, strictly speaking that
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark behavior is not standard. Alternatively, you can use the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>groupOfEntries</literal> object class as shown in the following
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark example.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkcn: Initially Empty Static Group
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: groupOfEntries
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top
08248b5c5b494aff8d1922e8e0b5777796d7450dmark</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --defaultAdd \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing ADD request for
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkADD operation successful for DN
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmark</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput># Now add some members to the group.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkchangetype: modify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkadd: member
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=ahunter,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=bjensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=tmorris,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=scarter,ou=People,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmark</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing MODIFY request for
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkMODIFY operation successful for DN
08248b5c5b494aff8d1922e8e0b5777796d7450dmark cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>A <firstterm>dynamic group</firstterm> specifies members using
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark LDAP URLs. Dynamic groups entries can stay small even as their
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark membership increases.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Dynamic group entries take the <literal>groupOfURLs</literal>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark object class, with one or more <literal>memberURL</literal> values
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark specifying LDAP URLs to identify group members.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>To create a dynamic group, add a group entry such as the following to
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the directory.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The following example builds a dynamic group of entries effectively
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark matching the filter <literal>"(l=Cupertino)"</literal> (users whose location
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark is Cupertino). Change the filter if your data is different, and so no
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: cn=My Dynamic Group,ou=Groups,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkcn: My Dynamic Group
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: groupOfURLs
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmemberURL: ldap:///ou=People,dc=example,dc=com??sub?l=Cupertino
08248b5c5b494aff8d1922e8e0b5777796d7450dmark</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --defaultAdd \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing ADD request for cn=My Dynamic Group,ou=Groups,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkADD operation successful for DN cn=My Dynamic Group,ou=Groups,dc=example,dc=com</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Group membership changes dynamically as entries change to match the
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN dc=example,dc=com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark "(&(uid=*jensen)(isMemberOf=cn=My Dynamic Group,ou=Groups,dc=example,dc=com))" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark mail</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmail: bjensen@example.com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=rjensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmail: rjensen@example.com
08248b5c5b494aff8d1922e8e0b5777796d7450dmark</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=ajensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkchangetype: modify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkl: Cupertino
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkProcessing MODIFY request for uid=ajensen,ou=People,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkMODIFY operation successful for DN uid=ajensen,ou=People,dc=example,dc=com</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN dc=example,dc=com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark "(&(uid=*jensen)(isMemberOf=cn=My Dynamic Group,ou=Groups,dc=example,dc=com))" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark mail</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=ajensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmail: ajensen@example.com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=bjensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmail: bjensen@example.com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=rjensen,ou=People,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkmail: rjensen@example.com</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ lets you create <firstterm>virtual static groups</firstterm>,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark which let applications see dynamic groups as what appear to be static
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark groups.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The virtual static group takes auxiliary object class
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>ds-virtual-static-group</literal>. Virtual static groups also take
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark either the object class <literal>groupOfNames</literal>, or
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>groupOfUniqueNames</literal>, but instead of having
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>member</literal> or <literal>uniqueMember</literal> attributes,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark have <literal>ds-target-group-dn</literal> attributes pointing to other
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark groups.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Generating the list of members can be resource intensive for large
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark groups, so by default you cannot retrieve the list of members. You can
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark change this with the <command>dsconfig</command> command by setting the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>Virtual Static uniqueMember</literal> property.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-virtual-attribute-prop \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --name "Virtual Static member" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set allow-retrieving-membership:true \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The following example creates a virtual static group, and reads the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark group entry with all members.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: cn=Virtual Static,ou=Groups,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkcn: Virtual Static
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectclass: top
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectclass: groupOfNames
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectclass: ds-virtual-static-group
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-target-group-dn: cn=My Dynamic Group,ou=Groups,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmark</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --defaultAdd \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing ADD request for cn=Virtual Static,ou=Groups,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkADD operation successful for DN cn=Virtual Static,ou=Groups,dc=example,dc=com</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com "(cn=Virtual Static)"</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: cn=Virtual Static,ou=Groups,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: groupOfNames
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: ds-virtual-static-group
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=jwalker,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=jmuffly,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=tlabonte,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=dakers,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=jreuter,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=rfisher,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=pshelton,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=rjensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=jcampaig,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=mjablons,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=mlangdon,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=aknutson,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=bplante,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=awalker,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=smason,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=ewalker,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=dthorud,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=btalbot,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=tcruse,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=kcarter,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=aworrell,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=bjensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=ajensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=cwallace,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=mwhite,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=kschmith,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=mtalbot,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=tschmith,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=gfarmer,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=speterso,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=prose,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=jbourke,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=mtyler,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=abergin,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=mschneid,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkcn: Virtual Static
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkds-target-group-dn: cn=My Dynamic Group,ou=Groups,dc=example,dc=com</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ lets you look up which groups a user belongs to by using the
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN dc=example,dc=com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark uid=bjensen \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark isMemberOf</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkisMemberOf: cn=My Static Group,ou=Groups,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkisMemberOf: cn=Virtual Static,ou=Groups,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkisMemberOf: cn=My Dynamic Group,ou=Groups,dc=example,dc=com</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You must request <literal>isMemberOf</literal> explicitly.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>When you delete or rename an entry that belongs to static groups, that
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark entry's DN must be removed or changed in the list of each group to which it
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark belongs. You can configure OpenDJ to resolve membership on your behalf after
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the change operation succeeds by enabling referential integrity.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Referential integrity functionality is implemented as a plugin. The
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark referential integrity plugin is disabled by default. To enable the plugin,
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-plugin-prop \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --plugin-name "Referential Integrity" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set enabled:true \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>With the plugin enabled, you can see OpenDJ referential integrity
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark resolving group membership automatically.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com "(cn=My Static Group)"</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: cn=My Static Group,ou=Groups,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: groupOfNames
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=ahunter,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=bjensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=tmorris,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=scarter,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkcn: My Static Group
08248b5c5b494aff8d1922e8e0b5777796d7450dmark</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapdelete \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark uid=scarter,ou=People,dc=example,dc=com</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing DELETE request for uid=scarter,ou=People,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkDELETE operation successful for DN uid=scarter,ou=People,dc=example,dc=com</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com "(cn=My Static Group)"</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: cn=My Static Group,ou=Groups,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: groupOfNames
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkcn: My Static Group
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=ahunter,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmember: uid=bjensen,ou=People,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkmember: uid=tmorris,ou=People,dc=example,dc=com</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>By default the referential integrity plugin is configured to manage
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>member</literal> and <literal>uniqueMember</literal> attributes.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark These attributes take values that are DNs, and are indexed for equality by
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark default. Before you add an additional attribute to manage, make sure that
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark it has DN syntax and that it is indexed for equality. OpenDJ requires that
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the attribute be indexed because an unindexed search for integrity would
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark potentially consume too many of the server's resources. Attribute syntax is
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark explained in the chapter on <link xlink:href="admin-guide#chap-schema"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:show="new" xlink:role="http://docbook.org/xlink/role/olink"><citetitle
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark >Managing Schema</citetitle></link>. For instructions on indexing attributes,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark see the section on <link xlink:href="admin-guide#configure-indexes"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:show="new" xlink:role="http://docbook.org/xlink/role/olink"><citetitle
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark >Configuring & Rebuilding Indexes</citetitle></link>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You can also configure the referential integrity plugin to check that
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark new entries added to groups actually exist in the directory by setting the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>check-references</literal> property to <literal>true</literal>. You
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark can specify additional criteria once you have activated the check. To ensure
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark that entries added must match a filter, set the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>check-references-filter-criteria</literal> to identify the attribute
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark and the filter. For example, you can specify that group members must be person
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark entries by setting <literal>check-references-filter-criteria</literal> to
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>member:(objectclass=person)</literal>. To ensure that entries must be
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark located in the same naming context, set
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>