184.108.40.206.4. Group Management in 389-DS
220.127.116.11.4.1. List 389-DS Groups
You can list all groups in the default SIMP 389-DS instance by running:
dsidm accounts -b "<base DN>" group list
If running a SIMP-generated default instance, you should see the usual
18.104.22.168.4.2. Add a Group to 389-DS
To add a group to 389-DS, you can either run
dsidm posixgroup create and it
will prompt you for input or you can provide most parameters at the command line
dsidm accounts -b "<base DN>" posixgroup create --cn alice --gidNumber 1000
Note the use of
posixgroup instead of
group when adding groups.
posixgroup=> POSIX-style groups generally used for system accounts.
group=> Regular LDAP groups which may be useful for external services.
22.214.171.124.4.3. Remove a Group from 389-DS
To remove our alice group, run the following command:
dsidm accounts -b "<base DN>" group delete "<DN>"
It will prompt you to type
Yes I am sure to confirm deletion.
To get the DN for the group run:
dsidm accounts -b "<base DN>" group get alice | head -1 | cut -f2- -d' '
126.96.36.199.4.4. Get Information about a 389-DS Group
Use the following command to get information about a specific group:
dsidm accounts -b "<base DN>" group get alice
188.8.131.52.4.5. Add a User to a 389-DS Group
Use the following command to add a user to a group:
dsidm accounts -b "<base DN>" group add_member "<DN>"
You can get the DN of a user by running:
dsidm accounts -b "<base DN>" user get <username> | head -1 | cut -f2- -d' '
It is important to note that, by default, referential integrity is not preserved between users and groups. This means that you will need to manually remove users from groups if you decide to delete a user.
If you want to change this behavior, you can enable the Referential Integrity Postoperation plug-in manually. However, this has ramifications in clustered environments so please read the related documentation before proceeding.