When you delete or rename an entry that belongs to static groups, that entry's DN must be removed or changed in the list of each group to which it belongs. You can configure OpenDJ to resolve membership on your behalf after the change operation succeeds by enabling referential integrity.
Referential integrity functionality is implemented as a plugin. The referential integrity plugin is disabled by default. To enable the plugin, use the dsconfig command.
$ dsconfig set-plugin-prop --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --plugin-name "Referential Integrity" --set enabled:true --trustAll --no-prompt
With the plugin enabled, you can see OpenDJ referential integrity resolving group membership automatically.
$ ldapsearch --port 1389 --baseDN dc=example,dc=com "(cn=My Static Group)" dn: cn=My Static Group,ou=Groups,dc=example,dc=com ou: Groups objectClass: groupOfNames objectClass: top member: uid=ahunter,ou=People,dc=example,dc=com member: uid=bjensen,ou=People,dc=example,dc=com member: uid=tmorris,ou=People,dc=example,dc=com member: uid=scarter,ou=People,dc=example,dc=com cn: My Static Group $ ldapdelete --port 1389 --bindDN "cn=Directory Manager" --bindPassword password uid=scarter,ou=People,dc=example,dc=com Processing DELETE request for uid=scarter,ou=People,dc=example,dc=com DELETE operation successful for DN uid=scarter,ou=People,dc=example,dc=com $ ldapsearch --port 1389 --baseDN dc=example,dc=com "(cn=My Static Group)" dn: cn=My Static Group,ou=Groups,dc=example,dc=com ou: Groups objectClass: groupOfNames objectClass: top cn: My Static Group member: uid=ahunter,ou=People,dc=example,dc=com member: uid=bjensen,ou=People,dc=example,dc=com member: uid=tmorris,ou=People,dc=example,dc=com
By default the referential integrity plugin is configured to manage
member and uniqueMember attributes.
These attributes take values that are DNs, and are indexed for equality by
default. Before you add an additional attribute to manage, make sure that
it has DN syntax and that it is indexed for equality. OpenDJ requires that
the attribute be indexed because an unindexed search for integrity would
potentially consume too many of the server's resources. Attribute syntax is
explained in the chapter on Managing Schema. For instructions on indexing attributes,
see the section on Configuring & Rebuilding Indexes.
You can also configure the referential integrity plugin to check that
new entries added to groups actually exist in the directory by setting the
check-references property to true. You
can specify additional criteria once you have activated the check. To ensure
that entries added must match a filter, set the
check-references-filter-criteria to identify the attribute
and the filter. For example, you can specify that group members must be person
entries by setting check-references-filter-criteria to
member:(objectclass=person). To ensure that entries must be
located in the same naming context, set
check-references-scope-criteria to
naming-context.
