Administration GuideSet Up Groups and RolesStatic Groups and RolesActive Directory memberOf Attribute › Enable memberOf in an Existing Environment

Previous Topic: Access Controls

Next Topic: How memberOf Updates are Triggered
Enable memberOf in an Existing Environment

To enable the memberOf feature in an existing deployment, populate the memberOf data through a dump and reload of all the group entries through the front end. Due to the load this generates, you should perform it during off peak times, or when applications are not accessing Directory.

To enable memberOf in an existing environment

  1. Execute the following command to help ensure that entries do not contain memberOf attribute. 
    dxsearch -h{host} -p{port} -b "ou=Users,o=CA,C=AU" "(memberOf=*)" memberOf

    Entries that contain memberOf attribute are returned. Remove memberOf from any entries that are returned.

  2. Retrieve and store groups. 
    dxsearch -h{host} -p{port} -b "ou=Groups,o=CA,C=AU" "(member=*)" member objectClass > groups.ldif
dxsearch -h{host} -p{port} -b "ou=Groups,o=CA,C=AU" "(uniqueMember=*)" uniqueMember objectClass >> groups.ldif
  3. Update groups.ldif to remove search summary.
  4. Remove groups (Verify that memberOf is not configured). 
    cat groups.ldif | grep "dn: " | awk '{print $2}' | dxdelete -h{host} -p{port}
  5. Enable memberOf functionality and re-init/restart DSAs.
  6. Add groups. 
    cat groups.ldif | dxmodify -h{host} -p{port} -a

Example: Migration

This example migration shows how you can export group and user containers:

set memberof-group-containers = <c AU><o CA><ou Groups>;
set memberof-user-containers = <c AU><o CA><ou Users>;