1SLAPO-DYNLIST(5) File Formats Manual SLAPO-DYNLIST(5)
2
6 slapo-dynlist - Dynamic List overlay to slapd
7
9 /etc/openldap/slapd.conf
10
12 The dynlist overlay to slapd(8) allows expansion of dynamic groups and
13 more. Any time an entry with a specific objectClass is being returned,
14 the LDAP URI-valued occurrences of a specific attribute are expanded
15 into the corresponding entries, and the values of the attributes listed
16 in the URI are added to the original entry. No recursion is allowed,
17 to avoid potential infinite loops. The resulting entry must comply
18 with the LDAP data model, so constraints are enforced. For example, if
19 a SINGLE-VALUE attribute is listed, only the first value results in the
20 final entry. The above described behavior is disabled when the man‐
21 ageDSAit control (RFC 3296) is used. In that case, the contents of the
22 dynamic group entry is returned; namely, the URLs are returned instead
23 of being expanded.
24
27 The config directives that are specific to the dynlist overlay must be
28 prefixed by dynlist-, to avoid potential conflicts with directives spe‐
29 cific to the underlying database or to other stacked overlays.
30 overlay dynlist
33 This directive adds the dynlist overlay to the current database,
34 or to the frontend, if used before any database instantiation;
35 see slapd.conf(5) for details.
36 This slapd.conf configuration option is defined for the dynlist over‐
39 lay. It may have multiple occurrences, and it must appear after the
40 overlay directive.
41 dynlist-attrset <group-oc> [<URI>] <URL-ad> [[<mapped-ad>:]<member-ad>
43 ...]
44 The value group-oc is the name of the objectClass that triggers
45 the dynamic expansion of the data.
46 The optional URI restricts expansion only to entries matching
48 the DN, the scope and the filter portions of the URI.
49 The value URL-ad is the name of the attributeDescription that
51 contains the URI that is expanded by the overlay; if none is
52 present, no expansion occurs. If the intersection of the
53 attributes requested by the search operation (or the asserted
54 attribute for compares) and the attributes listed in the URI is
55 empty, no expansion occurs for that specific URI. It must be a
56 subtype of labeledURI.
57 The value member-ad is optional; if present, the overlay behaves
59 as a dynamic group: this attribute will list the DN of the
60 entries resulting from the internal search. In this case, the
61 attrs portion of the URIs in the URL-ad attribute must be
62 absent, and the DNs of all the entries resulting from the expan‐
63 sion of the URIs are listed as values of this attribute. Com‐
64 pares that assert the value of the member-ad attribute of
65 entries with group-oc objectClass apply as if the DN of the
66 entries resulting from the expansion of the URI were present in
67 the group-oc entry as values of the member-ad attribute.
68 Alternatively, mapped-ad can be used to remap attributes
70 obtained through expansion. member-ad attributes are not filled
71 by expanded DN, but are remapped as mapped-ad attributes. Mul‐
72 tiple mapping statements can be used.
73 The dynlist overlay may be used with any backend, but it is mainly
76 intended for use with local storage backends. In case the URI expan‐
77 sion is very resource-intensive and occurs frequently with well-defined
78 patterns, one should consider adding a proxycache later on in the over‐
79 lay stack.
80
83 By default the expansions are performed using the identity of the cur‐
84 rent LDAP user. This identity may be overridden by setting the dgIden‐
85 tity attribute in the group's entry to the DN of another LDAP user. In
86 that case the dgIdentity will be used when expanding the URIs in the
87 object. Setting the dgIdentity to a zero-length string will cause the
88 expansions to be performed anonymously. Note that the dgIdentity
89 attribute is defined in the dyngroup schema, and this schema must be
90 loaded before the dgIdentity authorization feature may be used. If the
91 dgAuthz attribute is also present in the group's entry, its values are
92 used to determine what identities are authorized to use the dgIdentity
93 to expand the group. Values of the dgAuthz attribute must conform to
94 the (experimental) OpenLDAP authz syntax.
95
98 This example collects all the email addresses of a database into a sin‐
99 gle entry; first of all, make sure that slapd.conf contains the direc‐
100 tives:
101 include /path/to/dyngroup.schema
104 # ...
105 database <database>
107 # ...
108 overlay dynlist
110 dynlist-attrset groupOfURLs memberURL
111 and that slapd loads dynlist.la, if compiled as a run-time module; then
113 add to the database an entry like
114 dn: cn=Dynamic List,ou=Groups,dc=example,dc=com
116 objectClass: groupOfURLs
117 cn: Dynamic List
118 memberURL: ldap:///ou=People,dc=example,dc=com?mail?sub?(objectClass=person)
119 If no <attrs> are provided in the URI, all (non-operational) attributes
121 are collected.
122 This example implements the dynamic group feature on the member
124 attribute:
125 include /path/to/dyngroup.schema
128 # ...
129 database <database>
131 # ...
132 overlay dynlist
134 dynlist-attrset groupOfURLs memberURL member
135 A dynamic group with dgIdentity authorization could be created with an
137 entry like
138 dn: cn=Dynamic Group,ou=Groups,dc=example,dc=com
140 objectClass: groupOfURLs
141 objectClass: dgIdentityAux
142 cn: Dynamic Group
143 memberURL: ldap:///ou=People,dc=example,dc=com??sub?(objectClass=person)
144 dgIdentity: cn=Group Proxy,ou=Services,dc=example,dc=com
145
148 /etc/openldap/slapd.conf
149 default slapd configuration file
150
152 slapd.conf(5), slapd-config(5), slapd(8). The slapo-dynlist(5) overlay
153 supports dynamic configuration via back-config.
154
156 This module was written in 2004 by Pierangelo Masarati for SysNet
157 s.n.c.
158 Attribute remapping was contributed in 2008 by Emmanuel Dreyfus.
160OpenLDAP 2.4.23 2010/06/30 SLAPO-DYNLIST(5)