Chapter 6. Organizing and Grouping Entries
6.1. Using Groups
Note
memberOf
attribute to identify in user entries to what groups a user belongs. The memberOf
attribute is maintained by the Directory Server and updated automatically on entries as group membership changes. See Section 6.1.4, “Listing Group Membership in User Entries” for information on using the memberOf
attribute.
6.1.1. Creating Static Groups in the Console
Note
- In the Directory Server Console, select the Directory tab.
- In the left pane, right-click the entry under which to add a new group, and select New > Group.Alternatively, go to the Object menu, and select New > Group.
- Click General in the left pane. Type a name for the new group in the Group Name field (the name is required), and enter a description of the new group in the Description field.
- Click Members in the left pane. In the right pane, select the Static Group tab. Click to add new members to the group.
- In the Search drop-down list, select what sort of entries to search for (users, groups, or both) then click Search.
- Select the members from the returned entries, and click.
- Click Languages in the left pane to add language-specific information for the group.
- Clickto create the new group. It appears in the right pane.
Note
(objectclass=person)
and scope sub-tree
.
6.1.2. Creating Dynamic Groups in the Console
- In the Directory Server Console, select the Directory tab.
- In the left pane, right-click the entry under which to add a new group, and select New > Group.Alternatively, go to the Object menu, and select New > Group.
- Click General in the left pane. Type a name for the new group in the Group Name field (the name is required), and enter a description of the new group in the Description field.
- Click Members in the left pane. In the right pane, select the Dynamic Group tab. Click to create a LDAP URL for querying the database.
- Enter an LDAP URL in the text field or selectto be guided through the construction of an LDAP URL.The results show the current entries (group members) which correspond to the filter.
- Click Languages in the left pane to add language-specific information for the group.
- Click. The new group appears in the right pane.
Note
(objectclass=person)
and scope sub-tree
.
6.1.3. Creating Groups in the Command Line
groupOfNames
is a simple group, that allows any entry to be added. The attribute used to determine members for this ismember
.groupOfUniqueNames
, likegroupOfNames
, simply lists user DNs as members, but the members must be unique. This prevents users being added more than once as a group member, which is one way of preventing self-referential group memberships. The attribute used to determine members for this isuniqueMember
.groupOfURLs
uses a list of LDAP URLs to filter and generate its membership list. This object class is required for any dynamic group and can be used in conjunction withgroupOfNames
andgroupOfUniqueNames
.groupOfCertificates
is similar togroupOfURLs
in that it uses an LDAP filter to search for and identify certificates (or, really, certificate names) to identify group members. This is useful for group-based access control, since the group can be given special access permissions. The attribute used to determine members for this ismemberCertificate
.
Table 6.1. Dynamic and Static Group Schema
Type of Group | Group Object Classes | Member Attributes | ||
---|---|---|---|---|
Static | groupOfUniqueNames | uniqueMember | ||
Dynamic |
| memberURL |
ldapmodify -a
-D "cn=directory manager" -W -p 389 -h server.example.com -x
dn: cn=static group,ou=Groups,dc=example,dc=com
changetype: add
objectClass: top
objectClass: groupOfUniqueNames
cn: static group
description: Example static group.
uniqueMember: uid=mwhite,ou=People,dc=example,dc=com
uniqueMember: uid=awhite,ou=People,dc=example,dc=com
groupOfUniqueNames
, can explicitly list some group members along with the dynamic LDAP URL.
ldapmodify -a
-D "cn=directory manager" -W -p 389 -h server.example.com -x
dn: cn=dynamic group,ou=Groups,dc=example,dc=com
changetype: add
objectClass: top
objectClass: groupOfUniqueNames
objectClass: groupOfURLs
cn: dynamic group
description: Example dynamic group.
memberURL: ldap:///dc=example,dc=com??sub?(&(objectclass=person)(cn=*sen*))
6.1.4. Listing Group Membership in User Entries
memberOf
attribute in the member's entry. (By default, this checks the member
attribute, but mutiple attribute instances can be used to support multiple different group types.)
memberOf
attributes on the user entries. The MemberOf Plug-in provides a way to view the groups to which a user belongs simply by looking at the entry, including nested group membership. It can be very difficult to backtrack memberships through nested groups, but the MemberOf Plug-in shows memberships for all groups, direct and indirect.
6.1.4.1. Directory Topology Considerations with the MemberOf Plug-in
The memberOf
attributes for user entries should not be replicated in multi-master environments. Make sure that the memberOf
attribute is excluded from replication in the replication agreement. (Fractional replication is described in Section 11.1.7, “Replicating a Subset of Attributes with Fractional Replication”.)
memberOf
attributes for entries are the same across servers, simply configure the MemberOf Plug-in the same on all servers.
memberOf
attributes. Configure the MemberOf Plug-in for the supplier, then replicate the memberOf
attributes to the consumers.
It is possible, as outlined in Section 2.2.1, “Creating Databases”, to distribute suffixes and directory data across different databases.
memberOf
attributes because the plug-in cannot ascertain the relationship between them.
memberOfAllBackends
in the plug-in configuration.
6.1.4.2. Required Object Classes by the memberOf
Plug-In
memberOf
plug-in to add the memberOf
attribute, the user entry must contain the inetUser
or inetAdmin
object class to support this attribute. If you configure the memberOf
plug-in to use a different attribute, make sure that the user entry contains an object class that supports this attribute.
extensibleObject
object class.
Note
LDAP: error code 65 - Object Class Violation
6.1.4.3. The MemberOf Plug-in Syntax
memberOfGroupAttr
) and the other for the attribute to create and manage in the member's user entry (memberOfAttr
).
memberOfGroupAttr
attribute is multi-valued. Because different types of groups use different member attributes, using multiple memberOfGroupAttr
attributes allows the plug-in to manage multiple types of groups.
Example 6.1. Default MemberOf Plug-in Entry
dn: cn=MemberOf Plugin,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObjectcn: MemberOf Plugin
nsslapd-pluginPath: libmemberof-plugin
nsslapd-pluginInitfunc: memberof_postop_init
nsslapd-pluginType: postoperationnsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: databasememberOfGroupAttr: member
memberOfGroupAttr: uniqueMember
memberOfAttr: memberOf
memberOfAllBackends: on
nsslapd-pluginId: memberOf nsslapd-pluginVersion: 9.0.4 nsslapd-pluginVendor: Red Hat, Inc. nsslapd-pluginDescription: memberOf plugin
Table 6.2. MemberOf Syntax
Plug-in Attribute | Description |
---|---|
cn | Gives a unique name for the plug-in instance. |
memberOfGroupAttr | Gives the attribute in the group entry to poll to identify member DNs. By default, this is the member attribute, but it can be any attribute used to identify group members, such as uniqueMember . This is a multi-valued attribute, so if multiple types of groups will be used with the MemberOf Plug-in, multiple member type attributes can be set. |
memberOfAttr | Gives the attribute for the plug-in to create and manage on the user entry. By default, this is the memberOf attribute. |
memberOfAllBackends | Sets whether the plug-in should evaluate user entries only within the local suffix (off) or whether it should evaluate all configured databases (on). |
memberOfEntryScope | Sets on which suffixes the plug-in works on. If not set, the plug-in works on all suffixes. |
memberOfEntryScopeExcludeSubtree | Sets what suffixes the plug-in excludes. |
nsslapd-pluginEnabled | Sets whether the plug-in instance is enabled (active) or disabled. The default MemberOf Plug-in instance is disabled by default. |
nsslapd-pluginPath | Gives the name of the specific plug-in to load. This must be libmemberof-plugin . |
nsslapd-pluginInitfunc | Gives the name of the function to call to initialize the plug-in. This must be memberof_postop_init . |
Note
member
), it may be necessary to include the member
group attribute or whatever previous member attribute was used, in addition any new member attributes used in the plug-in configuration.
See Example 6.1, “Default MemberOf Plug-in Entry”.memberOfGroupAttr: member
memberOfGroupAttr: uniqueMember
6.1.4.4. Configuring an Instance of the MemberOf Plug-in
6.1.4.4.1. Editing the MemberOf Plug-in from the Console
- Select the Configuration tab, and expand to the Plugins folder.
- Scroll to the Memberof Plugin entry.
- Make sure that the plug-in is enabled. This is disabled by default.
- Click the Advanced Properties Editor.button to open the
- The
memberOfGroupAttr
attribute sets the attribute in the group entry which the server uses to identify member entries; this attribute can be used multiple times for different group/member types. ThememberOfAttr
attribute sets the attribute which the plug-in creates and manages on user entries. - Save the changes.
- Restart the server to update the plug-in. For example, open the Tasks tab and click the Restart server task.
6.1.4.4.2. Editing the MemberOf Plug-in from the Command Line
- Enable the MemberOf Plug-in.
ldapmodify -D "cn=directory manager" -W -p 389 -h server.example.com -x dn: cn=MemberOf Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on -
- Set the attribute to use for the group member entry attribute. The default attribute is
member
, which can be changed using thereplace
command, or, since thememberOfGroupAttr
attribute is multi-valued, additional member types can be added to the definition. For example:ldapmodify -D "cn=directory manager" -W -p 389 -h server.example.com -x dn: cn=MemberOf Plugin,cn=plugins,cn=config changetype: modify add: memberOfGroupAttr memberOfGroupAttr: uniqueMember add: memberOfGroupAttr memberOfGroupAttr: customMember-
- Set the attribute to set on the user entries to show group membership. For example:
ldapmodify -D "cn=directory manager" -W -p 389 -h server.example.com -x dn: cn=MemberOf Plugin,cn=plugins,cn=config changetype: modify replace: memberOfAttr memberOfAttr: memberOf -
- Optional. If the deployment uses distributed databases, then enable the
memberOfAllBackends
attribute to search through all databases, not just the local one, for user entries.ldapmodify -D "cn=directory manager" -W -p 389 -h server.example.com -x dn: cn=MemberOf Plugin,cn=plugins,cn=config changetype: modify replace: memberOfAllBackends memberOfAllBackends: on -
- Restart the Directory Server to load the modified new plug-in instance.
service dirsrv restart instance_name
6.1.4.5. Setting the Scope of the MemberOf Plug-in
memberOfEntryScope
and memberOfEntryScopeExcludeSubtree
parameters to set what suffixes the MemberOf
plug-in works on.
MemberOf
plug-in only adds the memberOf
attribute to the group if both the user and the group are in the plug-in's scope. For example, to configure the MemberOf
plug-in to work on all entries in dc=example,dc=com
, but to exclude entries in ou=private,dc=example,dc=com
, set:
memberOfEntryScope: dc=example,dc=com memberOfEntryScopeExcludeSubtree: ou=private,dc=example,dc=com
memberOfEntryScope
parameter:
- The membership attribute, such as
member
, is updated in the group entry to remove the user DN value. - The
memberOf
attribute is updated in the user entry to remove the group DN value.
Note
memberOfEntryScopeExcludeSubtree
parameter has a higher priority than values set in memberOfEntryScope
. If the scopes set in both parameters overlap, the MemberOf
plug-in only works on the non-overlapping directory entries.
6.1.4.6. Synchronizing memberOf Values
memberOf
attribute on group member entries, based on the configuration in the group entry itself. However, the memberOf
attribute can be edited on a user entry directly (which is improper) or new entries can be imported or replicated over to the server that have a memberOf
attribute already set. These situations create inconsistencies between the memberOf
configuration managed by the server plug-in and the actual memberships defined for an entry.
memberOf
repair task which manually runs the plug-in to make sure the appropriate memberOf
attributes are set on entries. There are three ways to trigger this task:
- In the Directory Server Console
- Using the
fixup-memberof.pl
script - Running a
cn=memberof task,cn=tasks,cn=config
tasks entry
Note
memberOf
attributes for the entries on other servers are not updated until the updated entry is replicated.
6.1.4.6.1. Initializing and Regenerating memberOf Attributes Using fixup-memberof.pl
fixup-memberof.pl
script launches a special task to regenerate all of the memberOf
attributes on user entries based on the defined member attributes in the group entries. This is a clean-up task which synchronizes the membership defined in group entries and the corresponding user entries and overwrites any accidental or improper edits on the user entries.
- Open the tool directory for the Directory Server instance,
/usr/lib/dirsrv/slapd-instance_name/
. - Run the script, binding as the Directory Manager.
./fixup-memberof.pl -D "cn=Directory Manager" -w password
fixup-memberof.pl
command is described in more detail in the Configuration and Command-Line Tool Reference.
6.1.4.6.2. Initializing and Regenerating memberOf Attributes Using ldapmodify
memberOf
attributes is one of the tasks which can be managed through a special task configuration entry. Task entries occur under the cn=tasks
configuration entry in the dse.ldif
file, so it is also possible to initiate a task by adding the entry using ldapmodify
. As soon as the task is complete, the entry is removed from the directory.
fixup-memberof.pl
script creates a special task entry in a Directory Server instance which regenerates the memberOf
attributes.
cn=memberof task,
cn=tasks,cn=config
entry. The only required attribute is the cn
for the specific task.
ldapmodify -a
-D "cn=directory manager" -W -p 389 -h server.example.com -x
dn: cn=example memberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
cn:example memberOf
dse.ldif
configuration, so it is possible to reuse the same task entry continually.
cn=memberof task
configuration is described in more detail in the Configuration and Command-Line Tool Reference.
6.1.5. Automatically Adding Entries to Specified Groups
Note
Note
6.1.5.1. Looking at the Structure of an Automembership Rule
cn=plugins,cn=config
. Group assignments are defined through child entries.
6.1.5.1.1. The Automembership Configuration Entry
- An LDAP search to identify entries, including both a search scope and a search filter (
autoMemberScope
andautoMemberFilter
) - A default group to which to add the member entries (
autoMemberDefaultGroup
) - The member entry format, which is the attribute in the group entry, such as
member
, and the attribute value, such asdn
(autoMemberGroupingAttr
)
cn=windows-users
group:
dn: cn=Windows Users,cn=Auto Membership Plugin,cn=plugins,cn=config objectclass: autoMemberDefinition autoMemberScope: ou=People,dc=example,dc=com autoMemberFilter: objectclass=ntUser autoMemberDefaultGroup: cn=windows-group,cn=groups,dc=example,dc=com autoMemberGroupingAttr: member:dn
Table 6.3. Automember Definition Attributes
Attribute | Description |
---|---|
autoMemberDefinition (required object class) | Identifies the entry as an automember definition. This entry must be a child of the Auto Membership Plug-in, cn=Auto Membership Plugin,cn=plugins,cn=config . |
autoMemberScope | Sets the subtree DN to search for entries. This is the search base. |
autoMemberFilter | Sets a standard LDAP search filter to use to search for matching entries. Examples of search filters are in Section 10.4, “LDAP Search Filters”. |
autoMemberDefaultGroup | Sets a default or fallback group to add the entry to as a member.
If the definition does not use any regular expression conditions, then this is the primary group to which entries are added. If the automember definition does have defined regular expression conditions, then an entry is added to those specified groups first, and the
autoMemberDefaultGroup group is used as a fallback for entries which match the autoMemberFilter but do not match a regular expression.
|
autoMemberGroupingAttr | Sets the name of the member attribute in the group entry and the attribute in the object entry that supplies the member attribute value.
This structures how the Auto Membership Plug-in adds a member to the group, depending on the group configuration. For example, for a
groupOfUniqueNames user group, each member is added as a uniqueMember attribute. The value of uniqueMember is the DN of the user entry. In essence, each group member is identified by the attribute-value pair of uniqueMember: user_entry_DN. The member entry format, then, is uniqueMember:dn .
|
6.1.5.1.2. Additional Regular Expression Entries
Example 6.2. Automember Definition for a Host Group
dn: cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config objectclass: autoMemberDefinition cn: Hostgroups autoMemberScope: dc=example,dc=com autoMemberFilter: objectclass=ipHost autoMemberDefaultGroup: cn=systems,cn=hostgroups,ou=groups,dc=example,dc=com autoMemberGroupingAttr: member:dn
Example 6.3. Regular Expression Condition for a Web Server Group
dn: cn=webservers,cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config objectclass: autoMemberRegexRule description: Group for webservers cn: webservers autoMemberTargetGroup: cn=webservers,cn=hostgroups,dc=example,dc=com autoMemberInclusiveRegex: fqdn=^www\.web[0-9]+\.example\.com
^www\.web[0-9]+\.example\.com
, such as www.web1.example.com
, is added to the cn=webservers
group, defined for that exact regular expression. Any other machine entry, which matches the LDAP filter objectclass=ipHost
but with a different type of fully-qualified domain name, is added to the general host group, cn=systems
, defined in the main definition entry.

Figure 6.1. Regular Expression Conditions
Table 6.4. Regular Expression Condition Attributes
Attribute | Description |
---|---|
autoMemberRegexRule (required object class) | Identifies the entry as a regular expression rule. This entry must be a child of an automember definition (objectclass: autoMemberDefinition ). |
autoMemberInclusiveRegex | Sets a regular expression to use to identify entries to include. Only matching entries are added to the group. Multiple regular expressions could be used, and if an entry matches any one of those expressions, it is included in the group.
The format of the expression is a Perl-compatible regular expression (PCRE). For more information on PCRE patterns, see the pcresyntax(3) man page.
This is a multi-valued attribute.
|
autoMemberExclusiveRegex | Sets a regular expression to use to identify entries to exclude. If an entry matches the exclusion condition, then it is not included in the group. Multiple regular expressions could be used, and if an entry matches any one of those expressions, it is excluded in the group.
The format of the expression is a Perl-compatible regular expression (PCRE). For more information on PCRE patterns, see the pcresyntax(3) man page.
This is a multi-valued attribute.
Note
Exclude conditions are evaluated first and take precedence over include conditions.
|
autoMemberTargetGroup | Sets which group to add the entry to as a member, if it meets the regular expression conditions. |
6.1.5.2. Examples of Automembership Rules
- Different host groups based on IP address
- Windows user groups
- Different user groups based on employee ID
Example 6.4. Host Groups by IP Address

configuration entry dn: cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config objectclass: autoMemberDefinition cn: Hostgroups autoMemberScope: dc=example,dc=com autoMemberFilter: objectclass=bootableDevice autoMemberDefaultGroup: cn=orphans,cn=hostgroups,dc=example,dc=com autoMemberGroupingAttr: member:dn regex entry #1 dn: cn=webservers,cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config objectclass: autoMemberRegexRule description: Group placement for webservers cn: webservers autoMemberTargetGroup: cn=webservers,cn=hostgroups,dc=example,dc=com autoMemberInclusiveRegex: fqdn=^www[0-9]+\.example\.com autoMemberInclusiveRegex: fqdn=^web[0-9]+\.example\.com autoMemberExclusiveRegex: fqdn=^www13\.example\.com autoMemberExclusiveRegex: fqdn=^web13\.example\.com regex entry #2 dn: cn=mailservers,cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config objectclass: autoMemberRegexRule description: Group placement for mailservers cn: mailservers autoMemberTargetGroup: cn=mailservers,cn=hostgroups,dc=example,dc=com autoMemberInclusiveRegex: fqdn=^mail[0-9]+\.example\.com autoMemberInclusiveRegex: fqdn=^smtp[0-9]+\.example\.com autoMemberExclusiveRegex: fqdn=^mail13\.example\.com autoMemberExclusiveRegex: fqdn=^smtp13\.example\.com
Example 6.5. Windows User Group
posixAccount
attribute to identify all new users. All new users created within Directory Server are created with the posixAccount
attribute, so that is a safe catch-all for new Directory Server users. However, when user accounts are synced over from the Windows domain to the Directory Server, the Windows user accounts are created without the posixAccount
attribute.
ntUser
attribute. The basic, all-users group rule can be modified to target Windows users specifically, which can then be added to the default all-users group or to a Windows-specific group.
dn: cn=Windows Users,cn=Auto Membership Plugin,cn=plugins,cn=config objectclass: autoMemberDefinition autoMemberScope: dc=example,dc=com autoMemberFilter: objectclass=ntUser autoMemberDefaultGroup: cn=Windows Users,cn=groups,dc=example,dc=com autoMemberGroupingAttr: member:dn
Example 6.6. User Groups by Employee Type
employeeType
attribute.
configuration entry dn: cn=Employee groups,cn=Auto Membership Plugin,cn=plugins,cn=config objectclass: autoMemberDefinition cn: Hostgroups autoMemberScope: ou=employees,ou=people,dc=example,dc=com autoMemberFilter: objectclass=inetorgperson autoMemberDefaultGroup: cn=general,cn=employee groups,ou=groups,dc=example,dc=com autoMemberGroupingAttr: member:dn regex entry #1 dn: cn=full time,cn=Employee groups,cn=Auto Membership Plugin,cn=plugins,cn=config objectclass: autoMemberRegexRule description: Group for full time employees cn: full time autoMemberTargetGroup: cn=full time,cn=employee groups,ou=groups,dc=example,dc=com autoMemberInclusiveRegex: employeeType=full regex entry #2 dn: cn=temporary,cn=Employee groups,cn=Auto Membership Plugin,cn=plugins,cn=config objectclass: autoMemberRegexRule description: Group placement for interns, contractors, and seasonal employees cn: temporary autoMemberTargetGroup: cn=temporary,cn=employee groups,ou=groups,dc=example,dc=com autoMemberInclusiveRegex: employeeType=intern autoMemberInclusiveRegex: employeeType=contractor autoMemberInclusiveRegex: employeeType=seasonal
6.1.5.3. Creating Automembership Definitions
- If necessary, enable the Auto Membership Plug-in.
ldapmodify -D "cn=directory manager" -W -p 389 -h server.example.com -x dn: cn=Auto Membership Plugin,cn=plugins,cn=config changetype: replace replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on -
- Create the new plug-in instance below the
cn=Auto Membership Plugin,cn=plugins,cn=config
container entry. This entry must belong to theautoMemberDefinition
object class.ldapmodify
-a
-D "cn=directory manager" -W -p 389 -h server.example.com -x dn: cn=Example Automember Definition,cn=Auto Membership Plugin,cn=plugins,cn=config objectclass: autoMemberDefinitionThe required attributes for the definition are listed in Table 6.3, “Automember Definition Attributes”. - Set the scope and filter for the definition. This is used for the initial search for matching entries.For example, for new entries added to the
ou=People
subtree and containing thentUser
attribute:autoMemberScope: ou=People,dc=example,dc=com autoMemberFilter: objectclass=ntUser
- Set the group to which to add matching entries (as the default or fallback group) and the format of the member entries for that group type.
autoMemberDefaultGroup: cn=windows-group,cn=groups,dc=example,dc=com autoMemberGroupingAttr: member:dn
- Optional. Create inclusive or exclusive regular expression filters and set a group to use for entries matching those filters.The attributes for the regular expression condition are listed in Table 6.4, “Regular Expression Condition Attributes”.Regular expression conditions are added as children of the automember definition. These conditions must belong to the
autoMemberRegexRule
object class.ldapmodify
-a
-D "cn=directory manager" -W -p 389 -h server.example.com -x dn: cn=Example Regex,cn=Example Automember Definition,cn=Auto Membership Plugin,cn=plugins,cn=config objectclass: autoMemberRegexRuleThen add the target group name and any inclusive or exclusive regular expressions. Both include and exclude conditions can be used, and multiple expressions of both types can be used.autoMemberTargetGroup: cn=webservers,cn=hostgroups,dc=example,dc=com autoMemberInclusiveRegex: fqdn=^www\.web[0-9]+\.example\.com
If a new entry matches a regular expression condition, it is added to that group instead of the default group set in the automember definition. - Restart the Directory Server to load the modified new plug-in instance.
service dirsrv restart instance_name
6.1.5.4. Updating Existing Entries for Automembership Definitions
cn=automember rebuild membership
) requires three elements to run, based on LDAP search parameters to identify which existing entries to process:
- The search filter
- The search scope
- The base DN from which to begin the search
ldapmodify
; when the task completes, the entry is automatically removed. For example:
[root@server ~]# ldapmodify -a
-D "cn=directory manager" -W -p 389 -h server.example.com -x
dn: cn=my rebuild task, cn=automember rebuild membership,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: my rebuild task
basedn: dc=example,dc=com
filter: (uid=*)
scope: sub
6.1.5.5. Testing Automembership Definitions
cn=automember export updates
runs against existing entries in the directory and exports the results of what users would have been added to what groups, based on the rules. This is useful for testing existing rules against existing users to see how your real deployment are performing.
cn=automember rebuild membership
task — the base DN to search, search filter, and search scope — and has an additional parameter to specify an export LDIF file to record the proposed entry updates.
[root@server ~]# ldapmodify -a
-D "cn=directory manager" -W -p 389 -h server.example.com -x
dn: cn=test export, cn=automember export updates,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: test export
basedn: dc=example,dc=com
filter: (uid=*)
scope: sub
ldif: /tmp/automember-updates.ldif
cn=automember map updates
takes an import LDIF of new users and then runs the new users against the current automembership rules. This can be very useful for testing a new rule, before applying it to (real) new or existing user entries.
[root@server ~]# ldapmodify -a
-D "cn=directory manager" -W -p 389 -h server.example.com -x
dn: cn=test mapping, cn=automember map updates,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
cn: test mapping
ldif_in: /tmp/entries.ldif
ldif_out: /tmp/automember-updates.ldif