HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
NOTE:
The Console for managing dynamic groups may not display all possible selections during a search
operation if there is no VLV index for users' search. This problem can occur when the number of
users is 1000 or more and there is no VLV index for search. To work around the problem, create
a VLV index for the users suffix with the filter (objectclass=person) and scope sub-tree.
5.4.3 Creating and managing groups in the command line
Creating both static and dynamic groups from the command line is a similar process. A group
entry contains the group name, the type of group, and a members attribute.
There are several different options for the type of group; these are described in more detail in the
HP-UX Directory Server schema reference. The type of group in this case refers to the type of
defining member attribute it has:
• groupOfNames is a simple group, that allows any entry to be added. The attribute used to
determine members for this is member.
• groupOfUniqueNames, like groupOfNames, simply lists user DNs as members, but the
members must be unique. This prevents users being added more than once as a group member,
which is one way of preventing self-referential group memberships. The attribute used to
determine members for this is uniqueMember.
• groupOfURLs uses a list of LDAP URLs to filter and generate its membership list. This object
class is required for any dynamic group and can be used in conjunction with groupOfNames
and groupOfUniqueNames.
• groupOfCertificates is similar to groupOfURLs in that it uses an LDAP filter to search
for and identify certificates (or, really, certificate names) to identify group members. This is
useful for group-based access control, because the group can be given special access
permissions. The attribute used to determine members for this is memberCertificate.
Table 21 (page 224) lists the default attributes for groups as they are created from the command
line.
Table 21 Dynamic and static group schema
Member attributesGroup object classesType of group
uniqueMembergroupOfUniqueNamesStatic
memberURLDynamic groupOfUniqueNames
groupOfURLs
A static group entry lists the specific members of the group. For example:
ldapmodify -a -D "cn=directory manager" -w secret -p 389 -h server.example.com
dn: cn=static group,ou=Groups, dc=example, dc=com
objectClass: top
objectClass: groupofuniquenames
cn: static group
description: Example static group
uniqueMember: uid=mwhite, ou=People, dc=example,dc=com
uniqueMember: uid=awhite, ou=People, dc=example,dc=com
A dynamic group uses at least one LDAP URL to identify entries belonging to the group and can
specify multiple LDAP URLs or, if used with another group object class like groupOfUniqueNames,
can explicitly list some group members along with the dynamic LDAP URL.
ldapmodify -a -D "cn=directory manager" -w secret -p 389 -h server.example.com
dn: cn=dynamic group,ou=Groups, dc=example, dc=com
objectClass: top
objectClass: groupofuniquenames
224 Organizing Entries with roles, Class of service, and Views