Dynamic LDAP groups can be very useful, especially if applications can use them just like static groups. More below.
LDAP groups are generally formed by creating a groupofnames or groupofuniquenames object and then adding the dns of each member to multiple values of the member (in the case of a groupofnames object) or uniquemember (in the case of a groupofuniquenames object) attribute. Active Directory generally implements groups as groupofnames objects, while directories descended from the original Netscape directory often use groupofuniquenames. For example:
dn: cn=Help Desk,ou=groups,dc=example,dc=com objectclass: top objectclass: groupofuniquenames cn: Help Desk uniquemember: uid=richp,ou=people,dc=example,dc=com uniquemember: uid=shrinid,ou=people,dc=example,dc=com uniquemember: uid=tracyx,ou=people,dc=example,dc=com
Dynamic groups were invented to allow for the populating of groups based on an LDAP filter or query without having to go out and manually add each matching user dn to the group. The exact syntax differs between directory server products. OpenDJ, following the tradition of Netscape/Sun directories, can use a groupofurls object and memberurl attribute.
dn: cn=Help Desk,ou=groups,dc=example,dc=com objectclass: top objectclass: groupofurls cn: Help Desk memberurl: ldap:///dc=example,dc=com??sub?(title=*Help Desk*)
In this case every entry in the directory that matches the search filter contained in memberurl (has “Help Desk” in their title) becomes a member of the group.
Note: In real life we’d strive to be a bit more precise than a substring search on title, for example by implementing a custom attribute like “companyrole” and populating it with a value like “helpdesk” (usually done manually by your user administration crew, or perhaps if you’re fortunate enough to have a Human Resources or other feed with official role information, thorough scripted updates).
The only problem with the above is that most LDAP applications don’t know how to handle dynamic groups. In order to make them useful for those applications we need to have an object that lists all the member (uniquemember) values as if it was an ordinary group.
In OpenDJ we would use a ds-virtual-static-group object for that purpose.
First you need to set up a dynamic group like the one above.
Then set up a ds-virtual-static group object like this:
dn: cn=Help Desk VGroup,ou=groups,dc=example,dc=com objectclass: top objectclass: groupofuniquenames objectclass: ds-virtual-static-group cn: Help Desk VGroup ds-target-group-dn: cn=Help Desk,ou=groups,dc=example,dc=com
Notice that the ds-target-group-dn value is what ties this new virtual static group to the previously created dynamic group.
By default, OpenDJ doesn’t allow clients to retrieve group membership by querying the virtual group. Enabling it requires a configuration change on the directory. There are separate configurations for member and uniquemember virtual group attributes.
To use dsconfig to enable retrieving of virtual uniquemembers:
dsconfig \ set-virtual-attribute-prop \ -p 5444 \ -j $HOME/etc/pwd.txt \ --name "Virtual Static uniquemember" \ --set allow-retrieving-membership:true \ -X \ -n
To do the same by editing the directory, apply the following LDIF:
dn: Virtual Static uniquemember, cn=Virtual Attributes, cn=config changetype: modify replace: ds-cfg-allow-retrieving-membership ds-cfg-allow-retrieving-membership: true
When you go to search on the “Help Desk VGroup” what you’ll then see is that it looks like this:
dn: cn=Help Desk VGroup,ou=groups,dc=example,dc=com objectclass: top objectclass: groupofuniquenames objectclass: ds-virtual-static-group cn: Help Desk VGroup ds-target-group-dn: cn=Help Desk Group,ou=groups,dc=example,dc=com uniquemember: uid=richp,ou=people,dc=example,dc=com uniquemember: uid=shrinid,ou=people,dc=example,dc=com uniquemember: uid=tracyx,ou=people,dc=example,dc=com
In my Openfire environement the group search filter only reads in entries with “description=Openfire Group” (that is, my ldap.groupSearchFilter is “(&(objectclass=groupOfUniqueNames)(description=Openfire Group))”). To implement the use of virtual static groups there I simply add that attribute and value to each group I want to make the system aware of.