Virtual static groups in OpenDJ

Dynamic LDAP groups can be very useful, especially if applications can use them just like static groups. More below.

LDAP groups are generally formed by creating a groupofnames or groupofuniquenames object and then adding the dns of each member to multiple values of the member (in the case of a groupofnames object) or uniquemember (in the case of a groupofuniquenames object) attribute. Active Directory generally implements groups as groupofnames objects, while directories descended from the original Netscape directory often use groupofuniquenames. For example:

dn: cn=Help Desk,ou=groups,dc=example,dc=com
objectclass: top
objectclass: groupofuniquenames
cn: Help Desk
uniquemember: uid=richp,ou=people,dc=example,dc=com
uniquemember: uid=shrinid,ou=people,dc=example,dc=com
uniquemember: uid=tracyx,ou=people,dc=example,dc=com

Dynamic groups were invented to allow for the populating of groups based on an LDAP filter or query without having to go out and manually add each matching user dn to the group. The exact syntax differs between directory server products. OpenDJ, following the tradition of Netscape/Sun directories, can use a groupofurls object and memberurl attribute.

dn: cn=Help Desk,ou=groups,dc=example,dc=com
objectclass: top
objectclass: groupofurls
cn: Help Desk
memberurl: ldap:///dc=example,dc=com??sub?(title=*Help Desk*)

In this case every entry in the directory that matches the search filter contained in memberurl (has “Help Desk” in their title) becomes a member of the group.

Note: In real life we’d strive to be a bit more precise than a substring search on title, for example by implementing a custom attribute like “companyrole” and populating it with a value like “helpdesk” (usually done manually by your user administration crew, or perhaps if you’re fortunate enough to have a Human Resources or other feed with official role information, thorough scripted updates).

The only problem with the above is that most LDAP applications don’t know how to handle dynamic groups. In order to make them useful for those applications we need to have an object that lists all the member (uniquemember) values as if it was an ordinary group.

In OpenDJ we would use a ds-virtual-static-group object for that purpose.

First you need to set up a dynamic group like the one above.

Then set up a ds-virtual-static group object like this:

dn: cn=Help Desk VGroup,ou=groups,dc=example,dc=com
objectclass: top
objectclass: groupofuniquenames
objectclass: ds-virtual-static-group
cn: Help Desk VGroup
ds-target-group-dn: cn=Help Desk,ou=groups,dc=example,dc=com

Notice that the ds-target-group-dn value is what ties this new virtual static group to the previously created dynamic group.

By default, OpenDJ doesn’t allow clients to retrieve group membership by querying the virtual group. Enabling it requires a configuration change on the directory. There are separate configurations for member and uniquemember virtual group attributes.

To use dsconfig to enable retrieving of virtual uniquemembers:

dsconfig \
set-virtual-attribute-prop \
-p 5444 \
-j $HOME/etc/pwd.txt \
--name "Virtual Static uniquemember" \
--set allow-retrieving-membership:true \
-X \
-n

To do the same by editing the directory, apply the following LDIF:

dn: Virtual Static uniquemember, cn=Virtual Attributes, cn=config
changetype: modify
replace: ds-cfg-allow-retrieving-membership
ds-cfg-allow-retrieving-membership: true

When you go to search on the “Help Desk VGroup” what you’ll then see is that it looks like this:

dn: cn=Help Desk VGroup,ou=groups,dc=example,dc=com
objectclass: top
objectclass: groupofuniquenames
objectclass: ds-virtual-static-group
cn: Help Desk VGroup
ds-target-group-dn: cn=Help Desk Group,ou=groups,dc=example,dc=com
uniquemember: uid=richp,ou=people,dc=example,dc=com
uniquemember: uid=shrinid,ou=people,dc=example,dc=com
uniquemember: uid=tracyx,ou=people,dc=example,dc=com

In my Openfire environement the group search filter only reads in entries with “description=Openfire Group” (that is, my ldap.groupSearchFilter is “(&(objectclass=groupOfUniqueNames)(description=Openfire Group))”). To implement the use of virtual static groups there I simply add that attribute and value to each group I want to make the system aware of.

Further Reading:

Creating Virtual Static Groups in the latest OpenDJ Administration Guide.

This entry was posted in Identity Management, System Administration on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).