A static group is expressed as an entry that enumerates all the entries that belong to the group. Static group entries grow as their membership increases.
Static group entries can take the standard object class
groupOfNames where each member
attribute value is a distinguished name of an entry, or
groupOfUniqueNames where each
uniqueMember attribute value has Name and Optional UID
syntax.[8] Like other LDAP attributes,
member and uniqueMember attributes take
sets of unique values.
Static group entries can also have the object class
groupOfEntries, which is like
groupOfNames except that it is designed to allow
groups not to have members.
When creating a group entry, use groupOfNames or
groupOfEntries where possible.
To create a static group, add a group entry such as the following to the directory.
$ cat static.ldif dn: cn=My Static Group,ou=Groups,dc=example,dc=com cn: My Static Group objectClass: groupOfNames objectClass: top ou: Groups member: uid=ahunter,ou=People,dc=example,dc=com member: uid=bjensen,ou=People,dc=example,dc=com member: uid=tmorris,ou=People,dc=example,dc=com $ ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --defaultAdd --filename static.ldif Processing ADD request for cn=My Static Group,ou=Groups,dc=example,dc=com ADD operation successful for DN cn=My Static Group,ou=Groups,dc=example,dc=com
To change group membership, modify the values of the membership attribute.
$ cat add2grp.ldif dn: cn=My Static Group,ou=Groups,dc=example,dc=com changetype: modify add: member member: uid=scarter,ou=People,dc=example,dc=com $ ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --filename add2grp.ldif Processing MODIFY request for cn=My Static Group,ou=Groups,dc=example,dc=com MODIFY operation successful for DN cn=My Static Group,ou=Groups,dc=example,dc=com $ ldapsearch --port 1389 --baseDN dc=example,dc=com "(cn=My Static Group)" dn: cn=My Static Group,ou=Groups,dc=example,dc=com ou: Groups objectClass: groupOfNames objectClass: top member: uid=ahunter,ou=People,dc=example,dc=com member: uid=bjensen,ou=People,dc=example,dc=com member: uid=tmorris,ou=People,dc=example,dc=com member: uid=scarter,ou=People,dc=example,dc=com cn: My Static Group
RFC 4519 says a groupOfNames entry must have
at least one member. Although OpenDJ allows you to create a
groupOfNames without members, strictly speaking that
behavior is not standard. Alternatively, you can use the
groupOfEntries object class as shown in the following
example.
$ cat group-of-entries.ldif dn: cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com cn: Initially Empty Static Group objectClass: groupOfEntries objectClass: top ou: Groups $ ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --defaultAdd --filename group-of-entries.ldif Processing ADD request for cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com ADD operation successful for DN cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com $ cat add-members.ldif # Now add some members to the group. dn: cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com changetype: modify add: member member: uid=ahunter,ou=People,dc=example,dc=com member: uid=bjensen,ou=People,dc=example,dc=com member: uid=tmorris,ou=People,dc=example,dc=com member: uid=scarter,ou=People,dc=example,dc=com $ ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --filename add-members.ldif Processing MODIFY request for cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com MODIFY operation successful for DN cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com
[8] Name and Optional UID syntax values are a DN optionally
followed by #. The
BitStringBitString, such as '0101111101'B,
serves to distinguish the entry from another entry having the same DN, which
can occur when the original entry was deleted and a new entry created with the
same DN.
