Chapter 8. Organizing and Grouping Entries
8.1. Using Groups
nsRoleDN
attribute in the user object. If you use groups, then the DN of the users who are members of this group are stored in member
attributes in the group object. If you enabled the memberOf plug-in, then the groups the user is a member of, are additionally stored in memberOf
attribute in the user object. With this plug-in enabled, groups additionally have the benefit of roles, that you can list the group memberships of a user, similar as when using roles. Additionally, groups are faster than roles.
8.1.1. Creating Static Groups in the Console
Note
- In the Directory Server Console, select the Directory tab.
- In the left pane, right-click the entry under which to add a new group, and select New > Group.Alternatively, go to the Object menu, and select New > Group.
- Click General in the left pane. Type a name for the new group in the Group Name field (the name is required), and enter a description of the new group in the Description field.
- Click Members in the left pane. In the right pane, select the Static Group tab. Click to add new members to the group.
- In the Search drop-down list, select what sort of entries to search for (users, groups, or both) then click Search.
- Select the members from the returned entries, and click.
- Click Languages in the left pane to add language-specific information for the group.
- Clickto create the new group. It appears in the right pane.
Note
(objectclass=person)
and scope sub-tree
. See Section 13.4.2, “Creating Browsing Indexes from the Command Line”.
8.1.2. Creating Dynamic Groups in the Console
- In the Directory Server Console, select the Directory tab.
- In the left pane, right-click the entry under which to add a new group, and select New > Group.Alternatively, go to the Object menu, and select New > Group.
- Click General in the left pane. Type a name for the new group in the Group Name field (the name is required), and enter a description of the new group in the Description field.
- Click Members in the left pane. In the right pane, select the Dynamic Group tab. Click to create a LDAP URL for querying the database.
- Enter an LDAP URL in the text field or selectto be guided through the construction of an LDAP URL.The results show the current entries (group members) which correspond to the filter.
- Click Languages in the left pane to add language-specific information for the group.
- Click. The new group appears in the right pane.
Note
(objectclass=person)
and scope sub-tree
. See Section 13.4.2, “Creating Browsing Indexes from the Command Line”.
8.1.3. Creating Groups in the Command Line
groupOfNames
(recommended) is a simple group, that allows any entry to be added. The attribute used to determine members for this ismember
.groupOfUniqueNames
, likegroupOfNames
, simply lists user DNs as members, but the members must be unique. This prevents users being added more than once as a group member, which is one way of preventing self-referential group memberships. The attribute used to determine members for this isuniqueMember
.groupOfURLs
uses a list of LDAP URLs to filter and generate its membership list. This object class is required for any dynamic group and can be used in conjunction withgroupOfNames
andgroupOfUniqueNames
.groupOfCertificates
is similar togroupOfURLs
in that it uses an LDAP filter to search for and identify certificates (or, really, certificate names) to identify group members. This is useful for group-based access control, since the group can be given special access permissions. The attribute used to determine members for this ismemberCertificate
.
Table 8.1. Dynamic and Static Group Schema
Type of Group | Group Object Classes | Member Attributes |
---|---|---|
Static | groupOfUniqueNames | uniqueMember |
Dynamic |
groupOfUniqueNames
groupOfURLs
| memberURL |
ldapmodify
:
dn: cn=static group,ou=Groups,dc=example,dc=com changetype: add objectClass: top objectClass: groupOfUniqueNames cn: static group description: Example static group. uniqueMember: uid=mwhite,ou=People,dc=example,dc=com uniqueMember: uid=awhite,ou=People,dc=example,dc=com
groupOfUniqueNames
, can explicitly list some group members along with the dynamic LDAP URL. For example, using ldapmodify
:
dn: cn=dynamic group,ou=Groups,dc=example,dc=com changetype: add objectClass: top objectClass: groupOfUniqueNames objectClass: groupOfURLs cn: dynamic group description: Example dynamic group. memberURL: ldap:///dc=example,dc=com??sub?(&(objectclass=person)(cn=*sen*))
Note
memberURL
attribute instead of listing the group members in an attribute, the memberOf plug-in does not add the memberOf
attribute to the user objects that match the filter.
8.1.4. Listing Group Membership in User Entries
memberOf
attribute in the member's entry. (By default, this checks the member
attribute, but multiple attribute instances can be used to support multiple different group types.)
memberOf
attributes on the user entries. The MemberOf Plug-in provides a way to view the groups to which a user belongs simply by looking at the entry, including nested group membership. It can be very difficult to backtrack memberships through nested groups, but the MemberOf Plug-in shows memberships for all groups, direct and indirect.
8.1.4.1. Considerations When Using the memberOf
Plug-in
memberOf
plug-in.
- Using the
memberOf
Plug-in in a Replication Topology - There are two approaches to manage the
memberOf
attribute in a replication topology:- Enable the
memberOf
plug-in on all master and read-only replica servers in the topology. In this case, you must exclude thememberOf
attribute from replication in all replication agreements. For details about about excluding attributes, see Section 15.1.7, “Replicating a Subset of Attributes with Fractional Replication”. - Enable the
memberOf
plug-in only on all master servers in the topology. For this:- You must disable replication of the
memberOf
attribute to all write-enabled masters in the replication agreement. For details about about excluding attributes, see Section 15.1.7, “Replicating a Subset of Attributes with Fractional Replication”. - You must Enable replication of the
memberOf
attribute to all read-only replicas in their replication agreement. - You must not enable the
memberOf
plug-in on read-only replicas.
- Using the
memberOf
plug-in With Distributed Databases - As described in Section 2.2.1, “Creating Databases”, you can store sub-trees of your directory in individual databases. By default, the
memberOf
plug-in only updates user entries which are stored within the same database as the group. To enable the plug-in to also update users in different databases as the group, you must set thememberOfAllBackends
parameter toon
. See Section 8.1.4.4.1, “Editing the MemberOf Plug-in from the Console”.
8.1.4.2. Required Object Classes by the memberOf
Plug-In
memberOf
plug-in will add the nsMemberOf
object class to objects to provide the memberOf
attribute. This object class is safe to add to any object for this purpose, and no further action is required to enable this plug-in to operate correctly. Alternatively, you can create user objects that contain the inetUser
or inetAdmin,
object class. Both object classes support the memberOf
attribute as well.
extensibleObject
object class.
Note
LDAP: error code 65 - Object Class Violation
8.1.4.3. The MemberOf Plug-in Syntax
memberOfGroupAttr
) and the other for the attribute to create and manage in the member's user entry (memberOfAttr
).
memberOfGroupAttr
attribute is multi-valued. Because different types of groups use different member attributes, using multiple memberOfGroupAttr
attributes allows the plug-in to manage multiple types of groups.
Example 8.1. Default MemberOf Plug-in Entry
dn: cn=MemberOf Plugin,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObjectcn: MemberOf Plugin
nsslapd-pluginPath: libmemberof-plugin
nsslapd-pluginInitfunc: memberof_postop_init
nsslapd-pluginType: postoperationnsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: databasememberOfGroupAttr: member
memberOfGroupAttr: uniqueMember
memberOfAttr: memberOf
memberOfAllBackends: on
nsslapd-pluginId: memberOf nsslapd-pluginVersion:X.Y.Z
nsslapd-pluginVendor: Red Hat, Inc. nsslapd-pluginDescription: memberOf plugin
Note
member
), it may be necessary to include the member
group attribute or whatever previous member attribute was used, in addition any new member attributes used in the plug-in configuration.
memberOfGroupAttr: member
memberOfGroupAttr: uniqueMember
8.1.4.4. Configuring an Instance of the MemberOf Plug-in
8.1.4.4.1. Editing the MemberOf Plug-in from the Console
- Select the Configuration tab, and expand to the Plugins folder.
- Scroll to the Memberof Plugin entry.
- Make sure that the plug-in is enabled. This is disabled by default.
- Click the Advanced Properties Editor.button to open the
- The
memberOfGroupAttr
attribute sets the attribute in the group entry which the server uses to identify member entries; this attribute can be used multiple times for different group/member types. ThememberOfAttr
attribute sets the attribute which the plug-in creates and manages on user entries. - Save the changes.
- If the Directory Server is not configured to enable dynamic plug-ins, restart the server to update the plug-in.
8.1.4.4.2. Editing the MemberOf Plug-in from the Command Line
- Enable the MemberOf Plug-in. Using
ldapmodify
:dn: cn=MemberOf Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on
- Set the attribute to use for the group member entry attribute. The default attribute is
member
, which can be changed using thereplace
command, or, since thememberOfGroupAttr
attribute is multi-valued, additional member types can be added to the definition. For example, usingldapmodify
:dn: cn=MemberOf Plugin,cn=plugins,cn=config changetype: modify add: memberOfGroupAttr memberOfGroupAttr: uniqueMember add: memberOfGroupAttr memberOfGroupAttr: customMember-
- Set the attribute to set on the user entries to show group membership. For example, using
ldapmodify
:dn: cn=MemberOf Plugin,cn=plugins,cn=config changetype: modify replace: memberOfAttr memberOfAttr: memberOf
- Optional. If the deployment uses distributed databases, then enable the
memberOfAllBackends
attribute to search through all databases, not just the local one, for user entries. Usingldapmodify
:dn: cn=MemberOf Plugin,cn=plugins,cn=config changetype: modify replace: memberOfAllBackends memberOfAllBackends: on
- If the Directory Server is not configured to enable dynamic plug-ins, restart the server to load the modified new plug-in instance.
8.1.4.6. Setting the Scope of the MemberOf Plug-in
memberOfEntryScope
and memberOfEntryScopeExcludeSubtree
parameters to set what suffixes the MemberOf
plug-in works on.
MemberOf
plug-in only adds the memberOf
attribute to the group if both the user and the group are in the plug-in's scope. For example, to configure the MemberOf
plug-in to work on all entries in dc=example,dc=com
, but to exclude entries in ou=private,dc=example,dc=com
, set:
memberOfEntryScope: dc=example,dc=com memberOfEntryScopeExcludeSubtree: ou=private,dc=example,dc=com
memberOfEntryScope
parameter:
- The membership attribute, such as
member
, is updated in the group entry to remove the user DN value. - The
memberOf
attribute is updated in the user entry to remove the group DN value.
Note
memberOfEntryScopeExcludeSubtree
parameter has a higher priority than values set in memberOfEntryScope
. If the scopes set in both parameters overlap, the MemberOf
plug-in only works on the non-overlapping directory entries.
8.1.4.7. Synchronizing memberOf Values
memberOf
attribute on group member entries, based on the configuration in the group entry itself. However, the memberOf
attribute can be edited on a user entry directly (which is improper) or new entries can be imported or replicated over to the server that have a memberOf
attribute already set. These situations create inconsistencies between the memberOf
configuration managed by the server plug-in and the actual memberships defined for an entry.
memberOf
repair task which manually runs the plug-in to make sure the appropriate memberOf
attributes are set on entries. There are three ways to trigger this task:
- In the Directory Server Console
- Using the
fixup-memberof.pl
script - Running a
cn=memberof task,cn=tasks,cn=config
tasks entry
Note
memberOf
attributes for the entries on other servers are not updated until the updated entry is replicated.
8.1.4.7.1. Initializing and Regenerating memberOf Attributes Using fixup-memberof.pl
fixup-memberof.pl
is a Perl script wrapper used to regenerate memberOf
attributes as described in Section 8.1.4.7.2, “Initializing and Regenerating memberOf Attributes Using ldapmodify”.
man fixup-memberof.pl
.
8.1.4.7.2. Initializing and Regenerating memberOf Attributes Using ldapmodify
memberOf
attributes is one of the tasks which can be managed through a special task configuration entry. Task entries occur under the cn=tasks
configuration entry in the dse.ldif
file, so it is also possible to initiate a task by adding the entry using ldapmodify
. As soon as the task is complete, the entry is removed from the directory.
fixup-memberof.pl
script creates a special task entry in a Directory Server instance which regenerates the memberOf
attributes.
cn=memberof task,
cn=tasks,cn=config
entry. The only required attribute is the cn
for the specific task. Using ldapmodify
:
dn: cn=example memberOf,cn=memberof task,cn=tasks,cn=config changetype: add cn:example memberOf
dse.ldif
configuration, so it is possible to reuse the same task entry continually.
cn=memberof task
configuration is described in more detail in the Configuration, Command, and File Reference.
8.1.5. Automatically Adding Entries to Specified Groups
Note
autoMemberProcessModifyOps
parameter in the cn=Auto Membership Plugin,cn=plugins,cn=config
entry is set to on
. With this setting, the Automembership plug-in also updates group memberships when an administrator moves a user to a different group by editing a user entry.
autoMemberProcessModifyOps
to off
, Directory Server invokes the plug-in only when you add a group entry to the user, and you must manually run a fix-up task to update the group membership.
Note
8.1.5.1. Looking at the Structure of an Automembership Rule
cn=plugins,cn=config
. Group assignments are defined through child entries.
8.1.5.1.1. The Automembership Configuration Entry
- An LDAP search to identify entries, including both a search scope and a search filter (
autoMemberScope
andautoMemberFilter
) - A default group to which to add the member entries (
autoMemberDefaultGroup
) - The member entry format, which is the attribute in the group entry, such as
member
, and the attribute value, such asdn
(autoMemberGroupingAttr
)
cn=windows-users
group:
dn: cn=Windows Users,cn=Auto Membership Plugin,cn=plugins,cn=config objectclass: autoMemberDefinition autoMemberScope: ou=People,dc=example,dc=com autoMemberFilter: objectclass=ntUser autoMemberDefaultGroup: cn=windows-group,cn=groups,dc=example,dc=com autoMemberGroupingAttr: member:dn
cn=Auto Membership Plugin,cn=plugins,cn=config
entry description in the Red Hat Directory Server Configuration, Command, and File Reference.
8.1.5.1.2. Additional Regular Expression Entries
Example 8.2. Automember Definition for a Host Group
dn: cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config objectclass: autoMemberDefinition cn: Hostgroups autoMemberScope: dc=example,dc=com autoMemberFilter: objectclass=ipHost autoMemberDefaultGroup: cn=systems,cn=hostgroups,dc=example,dc=com autoMemberGroupingAttr: member:dn
Example 8.3. Regular Expression Condition for a Web Server Group
dn: cn=webservers,cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config objectclass: autoMemberRegexRule description: Group for webservers cn: webservers autoMemberTargetGroup: cn=webservers,cn=hostgroups,dc=example,dc=com autoMemberInclusiveRegex: fqdn=^www\.web[0-9]+\.example\.com
^www\.web[0-9]+\.example\.com
, such as www.web1.example.com
, is added to the cn=webservers
group, defined for that exact regular expression. Any other machine entry, which matches the LDAP filter objectclass=ipHost
but with a different type of fully-qualified domain name, is added to the general host group, cn=systems
, defined in the main definition entry.

Figure 8.1. Regular Expression Conditions
Table 8.3. Regular Expression Condition Attributes
Attribute | Description |
---|---|
autoMemberRegexRule (required object class) | Identifies the entry as a regular expression rule. This entry must be a child of an automember definition (objectclass: autoMemberDefinition ). |
autoMemberInclusiveRegex | Sets a regular expression to use to identify entries to include. Only matching entries are added to the group. Multiple regular expressions could be used, and if an entry matches any one of those expressions, it is included in the group.
The format of the expression is a Perl-compatible regular expression (PCRE). For more information on PCRE patterns, see the
pcresyntax (3) man page.
This is a multi-valued attribute.
|
autoMemberExclusiveRegex | Sets a regular expression to use to identify entries to exclude. If an entry matches the exclusion condition, then it is not included in the group. Multiple regular expressions could be used, and if an entry matches any one of those expressions, it is excluded in the group.
The format of the expression is a Perl-compatible regular expression (PCRE). For more information on PCRE patterns, see the
pcresyntax (3) man page.
This is a multi-valued attribute.
Note
Exclude conditions are evaluated first and take precedence over include conditions.
|
autoMemberTargetGroup | Sets which group to add the entry to as a member, if it meets the regular expression conditions. |
8.1.5.2. Examples of Automembership Rules
- Different host groups based on IP address
- Windows user groups
- Different user groups based on employee ID
Example 8.4. Host Groups by IP Address

configuration entry dn: cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config objectclass: autoMemberDefinition cn: Hostgroups autoMemberScope: dc=example,dc=com autoMemberFilter: objectclass=bootableDevice autoMemberDefaultGroup: cn=orphans,cn=hostgroups,dc=example,dc=com autoMemberGroupingAttr: member:dn regex entry #1 dn: cn=webservers,cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config objectclass: autoMemberRegexRule description: Group placement for webservers cn: webservers autoMemberTargetGroup: cn=webservers,cn=hostgroups,dc=example,dc=com autoMemberInclusiveRegex: fqdn=^www[0-9]+\.example\.com autoMemberInclusiveRegex: fqdn=^web[0-9]+\.example\.com autoMemberExclusiveRegex: fqdn=^www13\.example\.com autoMemberExclusiveRegex: fqdn=^web13\.example\.com regex entry #2 dn: cn=mailservers,cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config objectclass: autoMemberRegexRule description: Group placement for mailservers cn: mailservers autoMemberTargetGroup: cn=mailservers,cn=hostgroups,dc=example,dc=com autoMemberInclusiveRegex: fqdn=^mail[0-9]+\.example\.com autoMemberInclusiveRegex: fqdn=^smtp[0-9]+\.example\.com autoMemberExclusiveRegex: fqdn=^mail13\.example\.com autoMemberExclusiveRegex: fqdn=^smtp13\.example\.com
Example 8.5. Windows User Group
posixAccount
attribute to identify all new users. All new users created within Directory Server are created with the posixAccount
attribute, so that is a safe catch-all for new Directory Server users. However, when user accounts are synchronized over from the Windows domain to the Directory Server, the Windows user accounts are created without the posixAccount
attribute.
ntUser
attribute. The basic, all-users group rule can be modified to target Windows users specifically, which can then be added to the default all-users group or to a Windows-specific group.
dn: cn=Windows Users,cn=Auto Membership Plugin,cn=plugins,cn=config objectclass: autoMemberDefinition autoMemberScope: dc=example,dc=com autoMemberFilter: objectclass=ntUser autoMemberDefaultGroup: cn=Windows Users,cn=groups,dc=example,dc=com autoMemberGroupingAttr: member:dn
Example 8.6. User Groups by Employee Type
employeeType
attribute.
configuration entry dn: cn=Employee groups,cn=Auto Membership Plugin,cn=plugins,cn=config objectclass: autoMemberDefinition cn: Hostgroups autoMemberScope: ou=employees,ou=people,dc=example,dc=com autoMemberFilter: objectclass=inetorgperson autoMemberDefaultGroup: cn=general,cn=employee groups,ou=groups,dc=example,dc=com autoMemberGroupingAttr: member:dn regex entry #1 dn: cn=full time,cn=Employee groups,cn=Auto Membership Plugin,cn=plugins,cn=config objectclass: autoMemberRegexRule description: Group for full time employees cn: full time autoMemberTargetGroup: cn=full time,cn=employee groups,ou=groups,dc=example,dc=com autoMemberInclusiveRegex: employeeType=full regex entry #2 dn: cn=temporary,cn=Employee groups,cn=Auto Membership Plugin,cn=plugins,cn=config objectclass: autoMemberRegexRule description: Group placement for interns, contractors, and seasonal employees cn: temporary autoMemberTargetGroup: cn=temporary,cn=employee groups,ou=groups,dc=example,dc=com autoMemberInclusiveRegex: employeeType=intern autoMemberInclusiveRegex: employeeType=contractor autoMemberInclusiveRegex: employeeType=seasonal
8.1.5.3. Creating Automembership Definitions
- If necessary, enable the Auto Membership Plug-in. Using
ldapmodify
:dn: cn=Auto Membership Plugin,cn=plugins,cn=config changetype: replace replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on
- Create the new plug-in instance below the
cn=Auto Membership Plugin,cn=plugins,cn=config
container entry. This entry must belong to theautoMemberDefinition
object class. Usingldapmodify
:dn: cn=Example Automember Definition,cn=Auto Membership Plugin,cn=plugins,cn=config objectclass: autoMemberDefinition ...
The required attributes for the definition are listed in the Red Hat Directory Server Configuration, Command, and File Reference. - Set the scope and filter for the definition. This is used for the initial search for matching entries.For example, for new entries added to the
ou=People
subtree and containing thentUser
attribute:autoMemberScope: ou=People,dc=example,dc=com autoMemberFilter: objectclass=ntUser
- Set the group to which to add matching entries (as the default or fallback group) and the format of the member entries for that group type.
autoMemberDefaultGroup: cn=windows-group,cn=groups,dc=example,dc=com autoMemberGroupingAttr: member:dn
- Optional. Create inclusive or exclusive regular expression filters and set a group to use for entries matching those filters.The attributes for the regular expression condition are listed in Table 8.3, “Regular Expression Condition Attributes”.Regular expression conditions are added as children of the automember definition. These conditions must belong to the
autoMemberRegexRule
object class.Usingldapmodify
:dn: cn=Example Regex,cn=Example Automember Definition,cn=Auto Membership Plugin,cn=plugins,cn=config objectclass: autoMemberRegexRule ...
Then add the target group name and any inclusive or exclusive regular expressions. Both include and exclude conditions can be used, and multiple expressions of both types can be used.autoMemberTargetGroup: cn=windows-admin-group,cn=groups,dc=example,dc=com autoMemberInclusiveRegex: cn=\.* Administrator \*
If a new entry matches a regular expression condition, it is added to that group instead of the default group set in the automember definition. - If the Directory Server is not configured to enable dynamic plug-ins, restart the server to load the modified new plug-in instance.
8.1.5.4. Updating Existing Entries for Automembership Definitions
cn=automember rebuild membership
) requires three elements to run, based on LDAP search parameters to identify which existing entries to process:
- The search filter
- The search scope
- The base DN from which to begin the search
ldapmodify
; when the task completes, the entry is automatically removed. For example:
dn: cn=my rebuild task, cn=automember rebuild membership,cn=tasks,cn=config objectClass: top objectClass: extensibleObject cn: my rebuild task basedn: dc=example,dc=com filter: (uid=*) scope: sub
8.1.5.5. Testing Automembership Definitions
cn=automember export updates
runs against existing entries in the directory and exports the results of what users would have been added to what groups, based on the rules. This is useful for testing existing rules against existing users to see how your real deployment are performing.
cn=automember rebuild membership
task — the base DN to search, search filter, and search scope — and has an additional parameter to specify an export LDIF file to record the proposed entry updates.
ldapmodify
:
dn: cn=test export, cn=automember export updates,cn=tasks,cn=config objectClass: top objectClass: extensibleObject cn: test export basedn: dc=example,dc=com filter: (uid=*) scope: sub ldif: /tmp/automember-updates.ldif
cn=automember map updates
takes an import LDIF of new users and then runs the new users against the current automembership rules. This can be very useful for testing a new rule, before applying it to (real) new or existing user entries.
ldapmodify
:
dn: cn=test mapping, cn=automember map updates,cn=tasks,cn=config objectClass: top objectClass: extensibleObject cn: test mapping ldif_in: /tmp/entries.ldif ldif_out: /tmp/automember-updates.ldif