1SLAPO-DYNLIST(5) File Formats Manual SLAPO-DYNLIST(5)
2
6 slapo-dynlist - Dynamic List overlay to slapd
7
9 /etc/openldap/slapd.conf
10
12 The dynlist overlay to slapd(8) allows expansion of dynamic lists and
13 groups. Any time an entry with a specific objectClass (defined in the
14 overlay configuration) is being returned, the LDAP URI-valued occur‐
15 rences of a specific attribute (also defined in the overlay configura‐
16 tion) are expanded into the corresponding entries.
17 For a dynamic list, the values of the attributes listed in the URI are
19 added from the matching entries to the original entry. No recursion is
20 allowed, to avoid potential infinite loops. The resulting entry must
21 comply with the LDAP data model, so constraints are enforced. For ex‐
22 ample, if a SINGLE-VALUE attribute is listed, only the first value
23 found during the list expansion appears in the final entry.
24 For a dynamic group, the DNs of the matching entries are added to a
26 member attribute in the original entry.
27 All dynamic behavior is disabled when the manageDSAit control (RFC
29 3296) is used. In that case, the contents of the original entry is re‐
30 turned; namely, the URLs are returned instead of being expanded.
31
34 The config directives that are specific to the dynlist overlay must be
35 prefixed by dynlist-, to avoid potential conflicts with directives spe‐
36 cific to the underlying database or to other stacked overlays.
37 overlay dynlist
40 This directive adds the dynlist overlay to the current database,
41 or to the frontend, if used before any database instantiation;
42 see slapd.conf(5) for details.
43 This slapd.conf configuration option is defined for the dynlist over‐
46 lay. It may have multiple occurrences, and it must appear after the
47 overlay directive.
48 dynlist-attrset <group-oc> [<URI>] <URL-ad> [options]
50 The value group-oc is the name of the objectClass that triggers
52 the dynamic expansion of the data.
53 The optional URI restricts expansion only to entries matching
55 the DN, the scope and the filter portions of the URI.
56 The value URL-ad is the name of the attributeDescription that
58 contains the URI that is expanded by the overlay; if none is
59 present, no expansion occurs. If the intersection of the at‐
60 tributes requested by the search operation (or the asserted at‐
61 tribute for compares) and the attributes listed in the URI is
62 empty, no expansion occurs for that specific URI. It must be a
63 subtype of labeledURI.
64 The remaining options depend on whether a dynamic list or a dy‐
66 namic group is being configured.
67 For a dynamic list, the allowed options have the form
69 [<mapped-ad>:<list-ad> ...]
71 The mapped-ad can be used to remap attributes obtained through
73 expansion. The list-ad must be one of the attributes returned
74 in the expansion of the URIs in the URL-ad attribute of the dy‐
75 namic entry. Multiple mapping statements can be used. Note that
76 in order for dynamic lists to be usable in a search filter, the
77 dynamic attributes to be filtered must be explicitly mapped.
78 They can be mapped to themselves if no transformation is re‐
79 quired.
80 For a dynamic group, the allowed options are
82 <member-ad>[+<memberOf-ad>[@<static-oc>[*]]]
84 The member-ad is required; this attribute will list the DN of
86 the entries resulting from the internal search. In this case,
87 the attrs portion of the URIs in the URL-ad attribute must be
88 absent, and the DNs of all the entries resulting from the expan‐
89 sion of the URIs are listed as values of this attribute. Com‐
90 pares that assert the value of the member-ad attribute of en‐
91 tries with group-oc objectClass apply as if the DN of the en‐
92 tries resulting from the expansion of the URI were present in
93 the group-oc entry as values of the member-ad attribute. If the
94 optional memberOf-ad attribute is also specified, then it will
95 be populated with the DNs of the dynamic groups that an entry is
96 a member of. If the optional static-oc objectClass is also
97 specified, then the memberOf attribute will also be populated
98 with the DNs of the static groups that an entry is a member of.
99 If the optional * character is also specified, then the member
100 and memberOf values will be populated recursively, for nested
101 groups. Note that currently nesting is only supported for Search
102 operations, not Compares.
103 The dynlist overlay may be used with any backend, but it is mainly in‐
106 tended for use with local storage backends. In case the URI expansion
107 is very resource-intensive and occurs frequently with well-defined pat‐
108 terns, one should consider adding a proxycache later on in the overlay
109 stack.
110
113 By default the expansions are performed using the identity of the cur‐
114 rent LDAP user. This identity may be overridden by setting the dgIden‐
115 tity attribute in the group's entry to the DN of another LDAP user. In
116 that case the dgIdentity will be used when expanding the URIs in the
117 object. Setting the dgIdentity to a zero-length string will cause the
118 expansions to be performed anonymously. Note that the dgIdentity at‐
119 tribute is defined in the dyngroup schema, and this schema must be
120 loaded before the dgIdentity authorization feature may be used. If the
121 dgAuthz attribute is also present in the group's entry, its values are
122 used to determine what identities are authorized to use the dgIdentity
123 to expand the group. Values of the dgAuthz attribute must conform to
124 the (experimental) OpenLDAP authz syntax. When using dynamic memberOf
125 in search filters, search access to the entryDN pseudo-attribute is re‐
126 quired.
127
130 This example collects all the email addresses of a database into a sin‐
131 gle entry; first of all, make sure that slapd.conf contains the direc‐
132 tives:
133 include /path/to/dyngroup.schema
136 # ...
137 database <database>
139 # ...
140 overlay dynlist
142 dynlist-attrset groupOfURLs memberURL
143 and that slapd loads dynlist.la, if compiled as a run-time module; then
145 add to the database an entry like
146 dn: cn=Dynamic List,ou=Groups,dc=example,dc=com
148 objectClass: groupOfURLs
149 cn: Dynamic List
150 memberURL: ldap:///ou=People,dc=example,dc=com?mail?sub?(objectClass=person)
151 If no <attrs> are provided in the URI, all (non-operational) attributes
153 are collected.
154 The values of the above list can not be evaluated in a search filter.
156 To enable filter evaluation on the dynamic list, the configuration must
157 be changed to explicitly map the dynamic attributes to be filtered. In
158 this case mail is just mapped to itself.
159 include /path/to/dyngroup.schema
162 # ...
163 database <database>
165 # ...
166 overlay dynlist
168 dynlist-attrset groupOfURLs memberURL mail:mail
169 This example implements the dynamic group feature on the member attri‐
171 bute:
172 include /path/to/dyngroup.schema
175 # ...
176 database <database>
178 # ...
179 overlay dynlist
181 dynlist-attrset groupOfURLs memberURL member
182 A dynamic group with dgIdentity authorization could be created with an
184 entry like
185 dn: cn=Dynamic Group,ou=Groups,dc=example,dc=com
187 objectClass: groupOfURLs
188 objectClass: dgIdentityAux
189 cn: Dynamic Group
190 memberURL: ldap:///ou=People,dc=example,dc=com??sub?(objectClass=person)
191 dgIdentity: cn=Group Proxy,ou=Services,dc=example,dc=com
192 This example extends the dynamic group feature to add a dynamic dgMem‐
195 berOf attribute to all the members of a dynamic group:
196 include /path/to/dyngroup.schema
198 # ...
199 database <database>
201 # ...
202 overlay dynlist
204 dynlist-attrset groupOfURLs memberURL member+dgMemberOf
205 This example extends the dynamic memberOf feature to add the memberOf
207 attribute to all the members of both static and dynamic groups:
208 include /path/to/dyngroup.schema
210 # ...
211 database <database>
213 # ...
214 overlay dynlist
216 dynlist-attrset groupOfURLs memberURL member+memberOf@groupOfNames
217 This dynamic memberOf feature can fully replace the functionality of
219 the slapo-memberof(5) overlay.
220
223 /etc/openldap/slapd.conf
224 default slapd configuration file
225
227 The dynlist overlay has been reworked with the 2.5 release to use a
228 consistent namespace as with other overlays. As a side-effect the fol‐
229 lowing cn=config parameters are deprecated and will be removed in a fu‐
230 ture release: olcDlAttrSet is replaced with olcDynListAttrSet olcDynam‐
231 icList is replaced with olcDynListConfig
232
234 slapd.conf(5), slapd-config(5), slapd(8). The slapo-dynlist(5) overlay
235 supports dynamic configuration via back-config.
236
239 Filtering on dynamic groups may return incomplete results if the search
240 operation uses the pagedResults control.
241
244 This module was written in 2004 by Pierangelo Masarati for SysNet
245 s.n.c.
246 Attribute remapping was contributed in 2008 by Emmanuel Dreyfus.
248OpenLDAP 2.6.6 2023/07/31 SLAPO-DYNLIST(5)