4.8.1.1.4. Group Management in 389-DS

4.8.1.1.4.1. List 389-DS Groups

You can list all groups in the default SIMP 389-DS instance by running:

dsidm accounts -b "<base DN>" group list

If running a SIMP-generated default instance, you should see the usual users and administrators groups.

4.8.1.1.4.2. Add a Group to 389-DS

To add a group to 389-DS, you can either run dsidm posixgroup create and it will prompt you for input or you can provide most parameters at the command line as follows:

dsidm accounts -b "<base DN>" posixgroup create --cn alice --gidNumber 1000

Note

Note the use of posixgroup instead of group when adding groups.

• posixgroup => POSIX-style groups generally used for system accounts.

• group => Regular LDAP groups which may be useful for external services.

4.8.1.1.4.3. Remove a Group from 389-DS

To remove our alice group, run the following command:

dsidm accounts -b "<base DN>" group delete "<DN>"

It will prompt you to type Yes I am sure to confirm deletion.

To get the DN for the group run:

dsidm accounts -b "<base DN>" group get alice | head -1 | cut -f2- -d' '

4.8.1.1.4.4. Get Information about a 389-DS Group

Use the following command to get information about a specific group:

dsidm accounts -b "<base DN>" group get alice

4.8.1.1.4.5. Add a User to a 389-DS Group

Use the following command to add a user to a group:

dsidm accounts -b "<base DN>" group add_member "<DN>"

You can get the DN of a user by running:

dsidm accounts -b "<base DN>" user get <username> | head -1 | cut -f2- -d' '

It is important to note that, by default, referential integrity is not preserved between users and groups. This means that you will need to manually remove users from groups if you decide to delete a user.

If you want to change this behavior, you can enable the Referential Integrity Postoperation plug-in manually. However, this has ramifications in clustered environments so please read the related documentation before proceeding.