dscl displays the settings for the group account, similar to the following output where the group named parentgroup is shown as nested:

apple-generateduid:4B3A5678-E9C1-2EC3-4567-891D234E5678 apple-group-nestedgroup:1A2B3456-C7D8-9EF1-2345-678G912H3456 cn: parentgroup

gidNumber: 700

objectClass: posixGroup apple-group extensibleObject top

AppleMetaNodeLocation: /LDAPv3/ipaddress

GeneratedUID:4B3A5678-E9C1-2EC3-4567-891D234E5678

NestedGroups:1A2B3456-C7D8-9EF1-2345-678G912H3456

PasswordPlus:********

PrimaryGroupID: 700

RecordName: parentgroup

RecordType: dsRecTypeStandard:Groups

Once a nested group is established, it can be split apart or unnested by using the dseditgroup tool with the -doption which deletes the group record but leaves the group intact.

To unnest a group:

$ dseditgroup -o edit [-d childgroup] [-t group] [-u username] [-P password] [-n /LDAPv3/ipaddess] parentgroup

Parameter

Description

childgroup

The name of the child group you are adding to the parent group.

 

 

group

The type of account you are changing. In this case group.

 

 

username

The short name of a user with LDAP directory service access.

 

 

password

The user password.

 

 

ipaddress

The IP address of your directory server.

 

 

parentgroup

The name of the parent group that the child group is being added

 

to.

 

 

Editing Group Records

You can use dsEditGroup to add, remove, or edit group records in the local directory service.

To display the information about a particular group:

$ dseditgroup officegroup

To delete a group:

$ dseditgroup -o delete -n /LDAPv3/ipaddress-u diradmin groupname

Replace ipaddress with the IP address of the DNS name of the LDAPv3 server, diradmin with the name of the directory administrator, and groupname with the name of the group you want to delete.

Chapter 8 Working with Users and Groups

117

Page 117
Image 117
Apple Mac OS X Server manual Editing Group Records, To unnest a group, To display the information about a particular group