chap-groups.xml revision 08248b5c5b494aff8d1922e8e0b5777796d7450d
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang ! CCPL HEADER START
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang ! This work is licensed under the Creative Commons
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang ! To view a copy of this license, visit
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang ! http://creativecommons.org/licenses/by-nc-nd/3.0/
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang ! or send a letter to Creative Commons, 444 Castro Street,
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang ! Suite 900, Mountain View, California, 94041, USA.
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang ! You can also obtain a copy of the license at
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang ! See the License for the specific language governing permissions
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang ! and limitations under the License.
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang ! If applicable, add the following below this CCPL HEADER, with the fields
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang ! enclosed by brackets "[]" replaced with your own identifying information:
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang ! Portions Copyright [yyyy] [name of copyright owner]
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang ! CCPL HEADER END
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang ! Copyright 2011-2014 ForgeRock AS
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang xsi:schemaLocation='http://docbook.org/ns/docbook
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <para>OpenDJ supports several methods of grouping entries in the directory.
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang Static groups list their members, whereas dynamic groups look up their
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang membership based on an LDAP filter. OpenDJ also supports virtual static
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang groups, which uses a dynamic group style definition, but allows applications
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang to list group members as if the group were static.</para>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <para>When listing entries in static groups, you must also have a mechanism
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang for removing entries from the list when they are deleted or modified in ways
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang that end their membership. OpenDJ makes that possible with
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <emphasis>referential integrity</emphasis> functionality.</para>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <para>This chapter demonstrates how to work with groups.</para>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <para>The examples in this chapter assume that an
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <literal>ou=Groups,dc=example,dc=com</literal> entry already exists. If you
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang imported data from <link xlink:href="http://opendj.forgerock.org/Example.ldif"
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang xlink:show="new">Example.ldif</link>, then you already have the entry. If you
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang generated data during setup and did not create an organizational unit for
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang groups yet, create the entry before you try the examples.</para>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang$ <userinput>ldapmodify \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --defaultAdd \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --port 1389 \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --bindDN "cn=Directory Manager" \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --bindPassword password
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangdn: ou=Groups,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker FangobjectClass: organizationalunit
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker FangobjectClass: top
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang<computeroutput>Processing ADD request for ou=Groups,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker FangADD operation successful for DN ou=Groups,dc=example,dc=com</computeroutput>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang </indexterm>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <para>A <firstterm>static group</firstterm> is expressed as an entry
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang that enumerates all the entries that belong to the group. Static group
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang entries grow as their membership increases.</para>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <para>Static group entries can take the standard object class
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <literal>groupOfNames</literal> where each <literal>member</literal>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang attribute value is a distinguished name of an entry, or
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <literal>groupOfUniqueNames</literal> where each
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <literal>uniqueMember</literal> attribute value has Name and Optional UID
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang syntax.<footnote><para>Name and Optional UID syntax values are a DN optionally
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang followed by <literal>#<replaceable>BitString</replaceable></literal>. The
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <replaceable>BitString</replaceable>, such as <literal>'0101111101'B</literal>,
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang serves to distinguish the entry from another entry having the same DN, which
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang can occur when the original entry was deleted and a new entry created with the
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang same DN.</para></footnote> Like other LDAP attributes,
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <literal>member</literal> and <literal>uniqueMember</literal> attributes take
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang sets of unique values.</para>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <para>Static group entries can also have the object class
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <literal>groupOfEntries</literal>, which is like
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <literal>groupOfNames</literal> except that it is designed to allow
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang groups not to have members.</para>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <para>When creating a group entry, use <literal>groupOfNames</literal> or
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <literal>groupOfEntries</literal> where possible.</para>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <para>To create a static group, add a group entry such as the following
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang to the directory.</para>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang<computeroutput>dn: cn=My Static Group,ou=Groups,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangcn: My Static Group
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker FangobjectClass: groupOfNames
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker FangobjectClass: top
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=ahunter,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=bjensen,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=tmorris,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang</computeroutput>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang$ <userinput>ldapmodify \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --port 1389 \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --bindDN "cn=Directory Manager" \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --bindPassword password \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --defaultAdd \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang<computeroutput>Processing ADD request for cn=My Static Group,ou=Groups,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker FangADD operation successful for DN cn=My Static Group,ou=Groups,dc=example,dc=com</computeroutput>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <para>To change group membership, modify the values of the membership
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang attribute.</para>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang<computeroutput>dn: cn=My Static Group,ou=Groups,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangchangetype: modify
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=scarter,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang</computeroutput>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang$ <userinput>ldapmodify \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --port 1389 \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --bindDN "cn=Directory Manager" \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --bindPassword password \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang<computeroutput>Processing MODIFY request for cn=My Static Group,ou=Groups,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker FangMODIFY operation successful for DN
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang cn=My Static Group,ou=Groups,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang</computeroutput>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang$ <userinput>ldapsearch \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --port 1389 \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --baseDN dc=example,dc=com \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang "(cn=My Static Group)"</userinput>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang<computeroutput>dn: cn=My Static Group,ou=Groups,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker FangobjectClass: groupOfNames
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker FangobjectClass: top
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=ahunter,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=bjensen,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=tmorris,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=scarter,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangcn: My Static Group</computeroutput>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <para>RFC 4519 says a <literal>groupOfNames</literal> entry must have
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang at least one member. Although OpenDJ allows you to create a
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <literal>groupOfNames</literal> without members, strictly speaking that
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang behavior is not standard. Alternatively, you can use the
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <literal>groupOfEntries</literal> object class as shown in the following
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang example.</para>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang$ <userinput>cat group-of-entries.ldif</userinput>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang<computeroutput>dn: cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangcn: Initially Empty Static Group
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker FangobjectClass: groupOfEntries
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker FangobjectClass: top
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang</computeroutput>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang$ <userinput>ldapmodify \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --port 1389 \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --bindDN "cn=Directory Manager" \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --bindPassword password \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --defaultAdd \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang<computeroutput>Processing ADD request for
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker FangADD operation successful for DN
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang</computeroutput>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang<computeroutput># Now add some members to the group.
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangdn: cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangchangetype: modify
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=ahunter,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=bjensen,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=tmorris,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=scarter,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang</computeroutput>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang$ <userinput>ldapmodify \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --port 1389 \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --bindDN "cn=Directory Manager" \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --bindPassword password \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang<computeroutput>Processing MODIFY request for
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker FangMODIFY operation successful for DN
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com</computeroutput>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang </indexterm>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <para>A <firstterm>dynamic group</firstterm> specifies members using
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang LDAP URLs. Dynamic groups entries can stay small even as their
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang membership increases.</para>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <para>Dynamic group entries take the <literal>groupOfURLs</literal>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang object class, with one or more <literal>memberURL</literal> values
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang specifying LDAP URLs to identify group members.</para>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <para>To create a dynamic group, add a group entry such as the following to
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang the directory.</para>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <para>The following example builds a dynamic group of entries effectively
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang matching the filter <literal>"(l=Cupertino)"</literal> (users whose location
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang is Cupertino). Change the filter if your data is different, and so no
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang entries have <literal>l: Cupertino</literal>.</para>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang<computeroutput>dn: cn=My Dynamic Group,ou=Groups,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangcn: My Dynamic Group
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker FangobjectClass: top
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker FangobjectClass: groupOfURLs
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker FangmemberURL: ldap:///ou=People,dc=example,dc=com??sub?l=Cupertino
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang</computeroutput>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang$ <userinput>ldapmodify \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --port 1389 \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --bindDN "cn=Directory Manager" \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --bindPassword password \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --defaultAdd \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang<computeroutput>Processing ADD request for cn=My Dynamic Group,ou=Groups,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker FangADD operation successful for DN cn=My Dynamic Group,ou=Groups,dc=example,dc=com</computeroutput>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <para>Group membership changes dynamically as entries change to match the
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang$ <userinput>ldapsearch \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --port 1389 \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --baseDN dc=example,dc=com \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang "(&(uid=*jensen)(isMemberOf=cn=My Dynamic Group,ou=Groups,dc=example,dc=com))" \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang mail</userinput>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmail: bjensen@example.com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangdn: uid=rjensen,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmail: rjensen@example.com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang</computeroutput>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang$ <userinput>ldapmodify \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --port 1389 \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --bindDN "cn=Directory Manager" \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --bindPassword password</userinput>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang<computeroutput>dn: uid=ajensen,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangchangetype: modify
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker FangProcessing MODIFY request for uid=ajensen,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker FangMODIFY operation successful for DN uid=ajensen,ou=People,dc=example,dc=com</computeroutput>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang$ <userinput>ldapsearch \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --port 1389 \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --baseDN dc=example,dc=com \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang "(&(uid=*jensen)(isMemberOf=cn=My Dynamic Group,ou=Groups,dc=example,dc=com))" \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang mail</userinput>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang<computeroutput>dn: uid=ajensen,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmail: ajensen@example.com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangdn: uid=bjensen,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmail: bjensen@example.com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangdn: uid=rjensen,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmail: rjensen@example.com</computeroutput>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang </indexterm>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <para>OpenDJ lets you create <firstterm>virtual static groups</firstterm>,
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang which let applications see dynamic groups as what appear to be static
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang groups.</para>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <para>The virtual static group takes auxiliary object class
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <literal>ds-virtual-static-group</literal>. Virtual static groups also take
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang either the object class <literal>groupOfNames</literal>, or
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <literal>groupOfUniqueNames</literal>, but instead of having
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <literal>member</literal> or <literal>uniqueMember</literal> attributes,
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang have <literal>ds-target-group-dn</literal> attributes pointing to other
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang groups.</para>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <para>Generating the list of members can be resource intensive for large
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang groups, so by default you cannot retrieve the list of members. You can
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang change this with the <command>dsconfig</command> command by setting the
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <literal>Virtual Static uniqueMember</literal> property.</para>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang$ <userinput>dsconfig \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang set-virtual-attribute-prop \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --port 4444 \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --bindDN "cn=Directory Manager" \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --bindPassword password \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --name "Virtual Static member" \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --set allow-retrieving-membership:true \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --trustAll \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --no-prompt</userinput>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <para>The following example creates a virtual static group, and reads the
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang group entry with all members.</para>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang<computeroutput>dn: cn=Virtual Static,ou=Groups,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangcn: Virtual Static
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangobjectclass: top
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangobjectclass: groupOfNames
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangobjectclass: ds-virtual-static-group
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangds-target-group-dn: cn=My Dynamic Group,ou=Groups,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang</computeroutput>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang$ <userinput>ldapmodify \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --port 1389 \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --bindDN "cn=Directory Manager" \
0dc2366f7b9f9f36e10909b1e95edbf2a261c2acVenugopal Iyer --bindPassword password \
0dc2366f7b9f9f36e10909b1e95edbf2a261c2acVenugopal Iyer --defaultAdd \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang<computeroutput>Processing ADD request for cn=Virtual Static,ou=Groups,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker FangADD operation successful for DN cn=Virtual Static,ou=Groups,dc=example,dc=com</computeroutput>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com "(cn=Virtual Static)"</userinput>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang<computeroutput>dn: cn=Virtual Static,ou=Groups,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker FangobjectClass: groupOfNames
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker FangobjectClass: ds-virtual-static-group
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker FangobjectClass: top
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=jwalker,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=jmuffly,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=tlabonte,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=dakers,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=jreuter,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=rfisher,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=pshelton,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=rjensen,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=jcampaig,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=mjablons,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=mlangdon,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=aknutson,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=bplante,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=awalker,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=smason,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=ewalker,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=dthorud,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=btalbot,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=tcruse,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=kcarter,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=aworrell,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=bjensen,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=ajensen,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=cwallace,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=mwhite,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=kschmith,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=mtalbot,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=tschmith,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=gfarmer,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=speterso,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=prose,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=jbourke,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=mtyler,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=abergin,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=mschneid,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangcn: Virtual Static
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangds-target-group-dn: cn=My Dynamic Group,ou=Groups,dc=example,dc=com</computeroutput>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang </indexterm>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <para>OpenDJ lets you look up which groups a user belongs to by using the
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang$ <userinput>ldapsearch \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --port 1389 \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --baseDN dc=example,dc=com \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang uid=bjensen \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang isMemberOf</userinput>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker FangisMemberOf: cn=My Static Group,ou=Groups,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker FangisMemberOf: cn=Virtual Static,ou=Groups,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker FangisMemberOf: cn=My Dynamic Group,ou=Groups,dc=example,dc=com</computeroutput>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <para>You must request <literal>isMemberOf</literal> explicitly.</para>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <title>Configuring Referential Integrity</title>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang </indexterm>
0dc2366f7b9f9f36e10909b1e95edbf2a261c2acVenugopal Iyer <para>When you delete or rename an entry that belongs to static groups, that
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang entry's DN must be removed or changed in the list of each group to which it
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang belongs. You can configure OpenDJ to resolve membership on your behalf after
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang the change operation succeeds by enabling referential integrity.</para>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <para>Referential integrity functionality is implemented as a plugin. The
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang referential integrity plugin is disabled by default. To enable the plugin,
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang use the <command>dsconfig</command> command.</para>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang$ <userinput>dsconfig \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang set-plugin-prop \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --port 4444 \
0dc2366f7b9f9f36e10909b1e95edbf2a261c2acVenugopal Iyer --bindDN "cn=Directory Manager" \
0dc2366f7b9f9f36e10909b1e95edbf2a261c2acVenugopal Iyer --bindPassword password \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --plugin-name "Referential Integrity" \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --set enabled:true \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --trustAll \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --no-prompt</userinput>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <para>With the plugin enabled, you can see OpenDJ referential integrity
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang resolving group membership automatically.</para>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com "(cn=My Static Group)"</userinput>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang<computeroutput>dn: cn=My Static Group,ou=Groups,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker FangobjectClass: groupOfNames
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker FangobjectClass: top
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=ahunter,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=bjensen,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=tmorris,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=scarter,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangcn: My Static Group
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang</computeroutput>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang$ <userinput>ldapdelete \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --port 1389 \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --bindDN "cn=Directory Manager" \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang --bindPassword password \
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang uid=scarter,ou=People,dc=example,dc=com</userinput>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang<computeroutput>Processing DELETE request for uid=scarter,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker FangDELETE operation successful for DN uid=scarter,ou=People,dc=example,dc=com</computeroutput>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com "(cn=My Static Group)"</userinput>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang<computeroutput>dn: cn=My Static Group,ou=Groups,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker FangobjectClass: groupOfNames
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker FangobjectClass: top
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangcn: My Static Group
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=ahunter,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=bjensen,ou=People,dc=example,dc=com
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fangmember: uid=tmorris,ou=People,dc=example,dc=com</computeroutput>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <para>By default the referential integrity plugin is configured to manage
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <literal>member</literal> and <literal>uniqueMember</literal> attributes.
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang These attributes take values that are DNs, and are indexed for equality by
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang default. Before you add an additional attribute to manage, make sure that
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang it has DN syntax and that it is indexed for equality. OpenDJ requires that
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang the attribute be indexed because an unindexed search for integrity would
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang potentially consume too many of the server's resources. Attribute syntax is
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang explained in the chapter on <link xlink:href="admin-guide#chap-schema"
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang xlink:show="new" xlink:role="http://docbook.org/xlink/role/olink"><citetitle
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang >Managing Schema</citetitle></link>. For instructions on indexing attributes,
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang see the section on <link xlink:href="admin-guide#configure-indexes"
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang xlink:show="new" xlink:role="http://docbook.org/xlink/role/olink"><citetitle
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang >Configuring & Rebuilding Indexes</citetitle></link>.</para>
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <para>You can also configure the referential integrity plugin to check that
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang new entries added to groups actually exist in the directory by setting the
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <literal>check-references</literal> property to <literal>true</literal>. You
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang can specify additional criteria once you have activated the check. To ensure
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang that entries added must match a filter, set the
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <literal>check-references-filter-criteria</literal> to identify the attribute
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang and the filter. For example, you can specify that group members must be person
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang entries by setting <literal>check-references-filter-criteria</literal> to
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <literal>member:(objectclass=person)</literal>. To ensure that entries must be
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang located in the same naming context, set
22a84b8d79248a611e4ba663a268d3c4bed054acQuaker Fang <literal>check-references-scope-criteria</literal> to