Using dynamic groups
Dynamic groups contain a set of criteria to identify members rather than maintaining an explicit list of group members.
If a new user entry is created, or if an existing entry is modified so that it matches the membership criteria, then the user is considered a member of the dynamic group. Similarly, if a member’s entry is deleted, or if it is modified so that it no longer matches the group criteria, then the user is no longer considered a member of the dynamic group.
|
You should limit the number of dynamic groups you create because they slow down group-related search performance. For the Directory REST API, this performance impact involves all operations, not just searches. This slowdown happens because the server has to evaluate the membership of each dynamic group against the values of the |
In the PingDirectory server, dynamic groups include the groupOfURLs structural object class and use the memberurl attribute to provide an LDAP URL that defines the membership criteria. The base, scope, and filter of the LDAP URL is used in the process of making the determination, and any other elements present in the URL are ignored.
Example
For example, the following entry defines a dynamic group in which all users below dc=example,dc=com with an employeeType value of contractor are considered members of the group.
dn: cn=Sales Group,ou=groups,dc=example,dc=com objectClass: top objectClass: groupOfURLs cn: Sales Group memberURL: ldap:///dc=example,dc=com??sub?(employeeType=contractor)
Assuming that fewer than 80,000 entries have the employeeType of contractor, you must create the following index definition to evaluate the dynamic group.
$ bin/dsconfig create-local-db-index --backend-name userRoot \
--index-name employeeType --set index-entry-limit:80000 \
--set index-type:equality