1
.TH SLAPO-DYNLIST 5 "RELEASEDATE" "OpenLDAP LDVERSION"
2
.\" Copyright 1998-2008 The OpenLDAP Foundation, All Rights Reserved.
3
.\" Copying restrictions apply. See the COPYRIGHT file.
4
.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-dynlist.5,v 1.7.2.4 2008/05/01 21:19:41 quanah Exp $
6
slapo-dynlist \- Dynamic List overlay to slapd
14
allows expansion of dynamic groups and more.
15
Any time an entry with a specific objectClass is being returned,
16
the LDAP URI-valued occurrences of a specific attribute are
17
expanded into the corresponding entries, and the values
18
of the attributes listed in the URI are added to the original
20
No recursion is allowed, to avoid potential infinite loops.
21
The resulting entry must comply with the LDAP data model, so constraints
23
For example, if a \fISINGLE-VALUE\fP attribute is listed,
24
only the first value results in the final entry.
25
The above described behavior is disabled when the \fImanageDSAit\fP
26
control (RFC 3296) is used.
27
In that case, the contents of the dynamic group entry is returned;
28
namely, the URLs are returned instead of being expanded.
31
The config directives that are specific to the
33
overlay must be prefixed by
35
to avoid potential conflicts with directives specific to the underlying
36
database or to other stacked overlays.
40
This directive adds the dynlist overlay to the current database,
41
or to the frontend, if used before any database instantiation; see
48
configuration option is defined for the dynlist overlay. It may have multiple
49
occurrences, and it must appear after the
53
.B dynlist-attrset <group-oc> <URL-ad> [[<mapped-ad>:]<member-ad> ...]
56
is the name of the objectClass that triggers the dynamic expansion of the
61
is the name of the attributeDescription that contains the URI that is
62
expanded by the overlay; if none is present, no expansion occurs.
63
If the intersection of the attributes requested by the search operation
64
(or the asserted attribute for compares) and the attributes listed
65
in the URI is empty, no expansion occurs for that specific URI.
66
It must be a subtype of \fIlabeledURI\fP.
70
is optional; if present, the overlay behaves as a dynamic group: this
71
attribute will list the DN of the entries resulting from the internal search.
72
In this case, the <attrs> portion of the URI must be absent, and the DNs
73
of all the entries resulting from the expansion of the URI are listed
74
as values of this attribute.
75
Compares that assert the value of the
77
attribute of entries with
79
objectClass apply as if the DN of the entries resulting from the expansion
80
of the URI were present in the
82
entry as values of the
87
.B <mapped-ad>:<member-ad>
88
can be used to remap attributes obtained through expansion.
90
attributes are not filled by expanded DN, but are remapped as
92
attributes. Multiple mapping statements can be used.
95
The dynlist overlay may be used with any backend, but it is mainly
96
intended for use with local storage backends.
97
In case the URI expansion is very resource-intensive and occurs frequently
98
with well-defined patterns, one should consider adding a proxycache
99
later on in the overlay stack.
102
By default the expansions are performed using the identity of the current
103
LDAP user. This identity may be overridden by setting the
105
attribute to the DN of another LDAP user. In that case the dgIdentity
106
will be used when expanding the URIs in the object. Setting the dgIdentity
107
to a zero-length string will cause the expansions to be performed
108
anonymously. Note that the dgIdentity attribute is defined in the
110
schema, and this schema must be loaded before the dgIdentity
111
authorization feature may be used.
114
This example collects all the email addresses of a database into a single
115
entry; first of all, make sure that slapd.conf contains the directives:
119
include /path/to/dyngroup.schema
126
dynlist-attrset groupOfURLs memberURL
129
and that slapd loads dynlist.la, if compiled as a run-time module;
130
then add to the database an entry like
133
dn: cn=Dynamic List,ou=Groups,dc=example,dc=com
134
objectClass: groupOfURLs
136
memberURL: ldap:///ou=People,dc=example,dc=com?mail?sub?(objectClass=person)
139
If no <attrs> are provided in the URI, all (non-operational) attributes are
142
This example implements the dynamic group feature on the
148
include /path/to/dyngroup.schema
155
dynlist-attrset groupOfURLs memberURL member
159
A dynamic group with dgIdentity authorization could be created with an
163
dn: cn=Dynamic Group,ou=Groups,dc=example,dc=com
164
objectClass: groupOfURLs
165
objectClass: dgIdentityAux
167
memberURL: ldap:///ou=People,dc=example,dc=com??sub?(objectClass=person)
168
dgIdentity: cn=Group Proxy,ou=Services,dc=example,dc=com
174
default slapd configuration file
179
.BR slapo-dynlist (5)
180
overlay supports dynamic configuration via
184
This module was written in 2004 by Pierangelo Masarati for SysNet s.n.c.
186
Attribute remapping was contributed in 2008 by Emmanuel Dreyfus.