1SLAPO-DYNLIST(5)              File Formats Manual             SLAPO-DYNLIST(5)
2
3
4

NAME

6       slapo-dynlist - Dynamic List overlay to slapd
7

SYNOPSIS

9       /etc/openldap/slapd.conf
10

DESCRIPTION

12       The  dynlist overlay to slapd(8) allows expansion of dynamic groups and
13       more.  Any time an entry with a specific objectClass  (defined  in  the
14       overlay  configuration)  is  being returned, the LDAP URI-valued occur‐
15       rences of a specific attribute (also defined in the overlay  configura‐
16       tion)  are  expanded  into the corresponding entries, and the values of
17       the attributes listed in the URI are added to the original  entry.   No
18       recursion is allowed, to avoid potential infinite loops.
19
20       The  resulting  entry  must  comply  with  the LDAP data model, so con‐
21       straints are enforced.  For example, if  a  SINGLE-VALUE  attribute  is
22       listed, only the first value found during the list expansion appears in
23       the final entry.  All dynamic behavior is disabled when the manageDSAit
24       control  (RFC 3296) is used.  In that case, the contents of the dynamic
25       group entry is returned; namely, the URLs are returned instead of being
26       expanded.
27
28

CONFIGURATION

30       The  config directives that are specific to the dynlist overlay must be
31       prefixed by dynlist-, to avoid potential conflicts with directives spe‐
32       cific to the underlying database or to other stacked overlays.
33
34
35       overlay dynlist
36              This directive adds the dynlist overlay to the current database,
37              or to the frontend, if used before any  database  instantiation;
38              see slapd.conf(5) for details.
39
40
41       This  slapd.conf  configuration option is defined for the dynlist over‐
42       lay. It may have multiple occurrences, and it  must  appear  after  the
43       overlay directive.
44
45       dynlist-attrset  <group-oc>  [<URI>]  <URL-ad>  [[<mapped-ad>:]<member-
46       ad>[+<memberOf-ad[@<static-oc>[*]] ...]
47              The value group-oc is the name of the objectClass that  triggers
48              the dynamic expansion of the data.
49
50              The  optional  URI  restricts expansion only to entries matching
51              the DN, the scope and the filter portions of the URI.
52
53              The value URL-ad is the name of  the  attributeDescription  that
54              contains  the  URI  that  is expanded by the overlay; if none is
55              present, no expansion occurs.  If the intersection  of  the  at‐
56              tributes  requested by the search operation (or the asserted at‐
57              tribute for compares) and the attributes listed in  the  URI  is
58              empty,  no expansion occurs for that specific URI.  It must be a
59              subtype of labeledURI.
60
61              The value member-ad is optional; if present, the overlay behaves
62              as  a  dynamic group: this attribute will list the DN of the en‐
63              tries resulting from the internal search.  In this case, the at‐
64              trs  portion of the URIs in the URL-ad attribute must be absent,
65              and the DNs of all the entries resulting from the  expansion  of
66              the  URIs are listed as values of this attribute.  Compares that
67              assert the value of the  member-ad  attribute  of  entries  with
68              group-oc objectClass apply as if the DN of the entries resulting
69              from the expansion of the URI were present in the group-oc entry
70              as values of the member-ad attribute.  If the optional memberOf-
71              ad attribute is also specified, then it will be  populated  with
72              the  DNs of the dynamic groups that an entry is a member of.  If
73              the optional static-oc objectClass is also specified,  then  the
74              memberOf  attribute  will  also be populated with the DNs of the
75              static groups that an entry is a member of.  If the  optional  *
76              character is also specified, then the member and memberOf values
77              will be populated recursively, for nested groups. Note that cur‐
78              rently nesting is only supported for Search operations, not Com‐
79              pares.
80
81              Alternatively, mapped-ad can be used  to  remap  attributes  ob‐
82              tained  through  expansion.  member-ad attributes are not filled
83              by expanded DN, but are remapped as mapped-ad attributes.   Mul‐
84              tiple  mapping statements can be used. The memberOf-ad option is
85              not used in this case.
86
87
88       The dynlist overlay may be used with any backend, but it is mainly  in‐
89       tended  for use with local storage backends.  In case the URI expansion
90       is very resource-intensive and occurs frequently with well-defined pat‐
91       terns,  one should consider adding a proxycache later on in the overlay
92       stack.
93
94

AUTHORIZATION

96       By default the expansions are performed using the identity of the  cur‐
97       rent LDAP user.  This identity may be overridden by setting the dgIden‐
98       tity attribute in the group's entry to the DN of another LDAP user.  In
99       that  case  the  dgIdentity will be used when expanding the URIs in the
100       object.  Setting the dgIdentity to a zero-length string will cause  the
101       expansions  to  be performed anonymously.  Note that the dgIdentity at‐
102       tribute is defined in the dyngroup schema,  and  this  schema  must  be
103       loaded before the dgIdentity authorization feature may be used.  If the
104       dgAuthz attribute is also present in the group's entry, its values  are
105       used  to determine what identities are authorized to use the dgIdentity
106       to expand the group.  Values of the dgAuthz attribute must  conform  to
107       the  (experimental) OpenLDAP authz syntax.  When using dynamic memberOf
108       in search filters, search access to the entryDN pseudo-attribute is re‐
109       quired.
110
111

EXAMPLE

113       This example collects all the email addresses of a database into a sin‐
114       gle entry; first of all, make sure that slapd.conf contains the  direc‐
115       tives:
116
117
118           include /path/to/dyngroup.schema
119           # ...
120
121           database <database>
122           # ...
123
124           overlay dynlist
125           dynlist-attrset groupOfURLs memberURL
126
127       and that slapd loads dynlist.la, if compiled as a run-time module; then
128       add to the database an entry like
129
130           dn: cn=Dynamic List,ou=Groups,dc=example,dc=com
131           objectClass: groupOfURLs
132           cn: Dynamic List
133           memberURL: ldap:///ou=People,dc=example,dc=com?mail?sub?(objectClass=person)
134
135       If no <attrs> are provided in the URI, all (non-operational) attributes
136       are collected.
137
138       This  example implements the dynamic group feature on the member attri‐
139       bute:
140
141
142           include /path/to/dyngroup.schema
143           # ...
144
145           database <database>
146           # ...
147
148           overlay dynlist
149           dynlist-attrset groupOfURLs memberURL member
150
151       A dynamic group with dgIdentity authorization could be created with  an
152       entry like
153
154           dn: cn=Dynamic Group,ou=Groups,dc=example,dc=com
155           objectClass: groupOfURLs
156           objectClass: dgIdentityAux
157           cn: Dynamic Group
158           memberURL: ldap:///ou=People,dc=example,dc=com??sub?(objectClass=person)
159           dgIdentity: cn=Group Proxy,ou=Services,dc=example,dc=com
160
161
162       This  example extends the dynamic group feature to add a dynamic dgMem‐
163       berOf attribute to all the members of a dynamic group:
164
165           include /path/to/dyngroup.schema
166           # ...
167
168           database <database>
169           # ...
170
171           overlay dynlist
172           dynlist-attrset groupOfURLs memberURL member+dgMemberOf
173
174       This example extends the dynamic memberOf feature to add  the  memberOf
175       attribute to all the members of both static and dynamic groups:
176
177           include /path/to/dyngroup.schema
178           # ...
179
180           database <database>
181           # ...
182
183           overlay dynlist
184           dynlist-attrset groupOfURLs memberURL member+memberOf@groupOfNames
185
186       This  dynamic  memberOf  feature can fully replace the functionality of
187       the slapo-memberof(5) overlay.
188
189

FILES

191       /etc/openldap/slapd.conf
192              default slapd configuration file
193

BACKWARD COMPATIBILITY

195       The dynlist overlay has been reworked with the 2.5  release  to  use  a
196       consistent  namespace as with other overlays. As a side-effect the fol‐
197       lowing cn=config parameters are deprecated and will be removed in a fu‐
198       ture release: olcDlAttrSet is replaced with olcDynListAttrSet olcDynam‐
199       icList is replaced with olcDynListConfig
200

SEE ALSO

202       slapd.conf(5), slapd-config(5), slapd(8).  The slapo-dynlist(5) overlay
203       supports dynamic configuration via back-config.
204
205

BUGS

207       Filtering on dynamic groups may return incomplete results if the search
208       operation uses the pagedResults control.
209
210

ACKNOWLEDGEMENTS

212       This module was written in  2004  by  Pierangelo  Masarati  for  SysNet
213       s.n.c.
214
215       Attribute remapping was contributed in 2008 by Emmanuel Dreyfus.
216
217
218
219OpenLDAP 2.6.2                    2022/05/04                  SLAPO-DYNLIST(5)
Impressum