Inverted Static Group Implementation

Note: this component has a complexity level of "expert", which means that objects of this type are not expected to be created or altered. Please contact support for assistance if you believe that you have a need to create or modify this type of object.

The Inverted Static Group Implementation provides a group implementation that operates like a static group in that membership is explicitly specified rather than dynamically determined, but rather than storing the membership as a list of DNs in the group entry, membership is stored in user entries by including the DN of the group in the ds-member-of-inverted-static-group-dn operational attribute in the entries for the members of that group.

To create an inverted static group, first, create an entry with an object class of "ds-inverted-static-group" and a name specified in the "cn" attribute. If the inverted static group will have any nested groups (that is, groups whose members will also be considered members of the inverted static group), include the DNs of those groups in the "ds-nested-group-dn" attribute. Then, you may add members to the group by adding "ds-member-of-inverted-static-group-dn" value with the DN of the inverted static group to the entry for each member. To remove a user from an inverted static group, simply remove the ds-member-of-inverted-static-group-dn value with the DN of that group from the user's entry.
For groups with a large number of members, inverted static groups may exhibit substantially better performance than a traditional static group when adding and removing members because the membership change requires updating a user entry, which is typically a lot smaller than the group entry would be if it included all of the membership information.
In addition, traditional static groups do not provide a way to distinguish between members that represent regular users from members that represent nested groups. Handling this requires the server to maintain an internal cache, and to perform some relatively expensive processing to update the cache whenever a change is made to a static group. Because inverted static groups store information about nested groups in a separate attribute, the processing required to handle those nested groups is much more efficient.
Just as with other types of groups, the best way to determine whether a user is a member of an inverted static group is to use the isMemberOf virtual attribute in the user's entry. If the attribute has a value that matches the DN of the inverted static group, then the user is considered a member of that group, either directly or indirectly by virtue of being a member of one of its nested groups (the isDirectMemberOf virtual attribute may be used to determine whether the user is a member of an inverted static group without considering nested groups). To retrieve the entries for all members of a virtual static group, perform a subtree search with a filter of "(isMemberOf={groupDN})", and you may combine that filter with other filter components in an AND if you wish to further restrict the members to those also matching additional criteria.

dsconfig Usage

To list the configured Group Implementations:

dsconfig list-group-implementations
     [--property {propertyName}] ...

To view the configuration for an existing Group Implementation:

dsconfig get-group-implementation-prop
     --implementation-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Group Implementation:

dsconfig set-group-implementation-prop
     --implementation-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...