Examples of adding, modifying, and deleting group entries
Adding group entries: This example creates static
group entries using the accessGroup, groupOfUniqueNames, and groupOfNames object
classes. Group search limits are also specified in the first group
to allow searches by group members to return up to 200,000 entries
and take unlimited time.
ldapadd -h 127.0.0.1 -D "cn=admin" -w xxxx -f staticGrps.ldifdn: cn=group1, o=Your Company
objectclass: accessGroup
objectclass: ibm-searchLimits
cn: group1
ibm-searchsizelimit: 200000
ibm-searchtimelimit: 0
member: cn=bob, o=Your Company
member: cn=lisa, o=Your Company
member: cn=chris, cn=bob, o=Your Company
member: cn=john, cn=bob, o=Your Company
dn: cn=group2, o=Your Company
objectclass: groupOfUniqueNames
cn: group2
uniquemember: cn=tom, o=Your Company
uniquemember: cn=dan, o=Your Company
uniquemember: cn=sam, o=Your Company
uniquemember: cn=kevin, o=Your Company
dn: cn=group3, o=Your Company
objectclass: groupOfNames
cn: group3
member: cn=david, o=Your Company
member: cn=jake, o=Your Company
member: cn=scott, o=Your Company
member: cn=eric, o=Your CompanyThis example creates a dynamic group entry that has an object class
of groupOfURLs:
ldapadd -h 127.0.0.1 -D "cn=admin" -w xxxx -f dynamicGrp.ldifWhere dynamicGrp.ldif contains:
dn: cn=dynamic_team,o=Your Company
objectclass: groupOfUrls
cn: dynamic_team
memberurl: ldap:///o=Your Company??sub?(employeeType=ldapTeam)This example creates a nested group entry with an object class
of ibm-nestedGroup that references cn=dynamic_team,o=Your
Company and cn=group1,o=Your Company.
ldapadd -h 127.0.0.1 -D "cn=admin" -w xxxx -f nestedGrp.ldifWhere nestedGrp.ldif contains:
dn: cn=nested_grp,o=Your Company
objectclass: ibm-nestedGroup
objectclass: container
cn: nested_grp
ibm-memberGroup: cn=dynamic_team,o=Your Company
ibm-memberGroup: cn=group1,o=Your CompanyModifying group entries: To add a member to a static
group, add the user's distinguished name as an additional value for
the member or uniqueMember attribute. Following is
an example:
ldapmodify -h 127.0.0.1 -D "cn=admin" -w xxxx -f modStaticGrp.ldifWhere modStaticGrp.ldif contains:
dn: cn=group1, o=Your Company
changetype: modify
add: member
member: cn=jeff, cn=tim, o=Your Company
dn: cn=group2, o=Your Company
changetype: modify
add: uniqueMember
uniqueMember: cn=joe,o=Your CompanyTo remove a member from a static group, remove the user's distinguished
name from the set of member or uniqueMember attribute
values in the static group entry. Following is an example:
ldapmodify -h 127.0.0.1 -D "cn=admin" -w xxxx -f modStaticGrp.ldifWhere modStaticGrp.ldif contains:
dn: cn=group1, o=Your Company
changetype: modify
delete: member
member: cn=jeff, cn=tim, o=Your Company
dn: cn=group2, o=Your Company
changetype: modify
delete: uniqueMember
uniqueMember: cn=joe,o=Your CompanyTo add a new search expression to a dynamic group, add the LDAP
URL search expression as a value of the memberURL attribute.
Following is an example:
ldapmodify -h 127.0.0.1 -D "cn=admin" -w xxxx -f modDynamicGrp.ldifWhere modDynamicGrp.ldif contains:
dn: cn=dynamic_team, o=Your Company
changetype: modify
add: memberURL
memberURL: ldap:///o=Your Company??sub?(employeeType=javaTeam)To remove a search expression from a dynamic group entry, the memberURL attribute
value containing the search expression must be removed from the group
entry. Following is an example:
ldapmodify -h 127.0.0.1 -D "cn=admin" -w xxxx -f modDynamicGrp.ldifWhere modDynamicGrp.ldif contains:
dn: cn=dynamic_team, o=Your Company
changetype: modify
delete: memberURL
memberURL: ldap:///o=Your Company??sub?(employeeType=javaTeam)To add a new group reference to an existing nested group entry,
add the new group's DN as a value of the ibm-memberGroup attribute.
Following is an example:
ldapmodify -h 127.0.0.1 -D "cn=admin" -w xxxx -f modNestedGrp.ldifWhere modNestedGrp.ldif contains:
dn: cn=nested_grp, o=Your Company
changetype: modify
add: ibm-memberGroup
ibm-memberGroup: cn=group2,o=Your Company To remove a group reference entry from an existing nested group
entry, the ibm-memberGroup attribute value containing the
group reference DN must be deleted. Following is an example:
ldapmodify -h 127.0.0.1 -D "cn=admin" -w xxxx -f modNestedGrp.ldifWhere modNestedGrp.ldif contains:
dn: cn=nested_grp, o=Your Company
changetype: modify
delete: ibm-memberGroup
ibm-memberGroup: cn=group2,o=Your CompanyDeleting group entries: To delete a static, dynamic, and nested group entry, delete the directory entry that represents the group. The ldapdelete command can be used to perform this delete operation.
This example deletes the static, dynamic, and nested group entries
that were created in the above examples:
ldapdelete -h 127.0.0.1 -D "cn=admin" -w xxx -f deleteGrp.listWhere deleteGrp.list contains:
cn=nested_grp,o=Your Company
cn=group1,o=Your Company
cn=group2,o=Your Company
cn=group3,o=Your Company
cn=dynamic_team,o=Your Company