Provided by: slapd_2.4.11-0ubuntu6_i386
slapo-dynlist - Dynamic List overlay to slapd
The dynlist overlay to slapd(8) allows expansion of dynamic groups and
more. Any time an entry with a specific objectClass is being returned,
the LDAP URI-valued occurrences of a specific attribute are expanded
into the corresponding entries, and the values of the attributes listed
in the URI are added to the original entry. No recursion is allowed,
to avoid potential infinite loops. The resulting entry must comply
with the LDAP data model, so constraints are enforced. For example, if
a SINGLE-VALUE attribute is listed, only the first value results in the
final entry. The above described behavior is disabled when the
manageDSAit control (RFC 3296) is used. In that case, the contents of
the dynamic group entry is returned; namely, the URLs are returned
instead of being expanded.
The config directives that are specific to the dynlist overlay must be
prefixed by dynlist-, to avoid potential conflicts with directives
specific to the underlying database or to other stacked overlays.
This directive adds the dynlist overlay to the current database,
or to the frontend, if used before any database instantiation;
see slapd.conf(5) for details.
This slapd.conf configuration option is defined for the dynlist
overlay. It may have multiple occurrences, and it must appear after the
dynlist-attrset <group-oc> <URL-ad> [[<mapped-ad>:]<member-ad> ...]
The value <group-oc> is the name of the objectClass that
triggers the dynamic expansion of the data.
The value <URL-ad> is the name of the attributeDescription that
contains the URI that is expanded by the overlay; if none is
present, no expansion occurs. If the intersection of the
attributes requested by the search operation (or the asserted
attribute for compares) and the attributes listed in the URI is
empty, no expansion occurs for that specific URI. It must be a
subtype of labeledURI.
The value <member-ad> is optional; if present, the overlay
behaves as a dynamic group: this attribute will list the DN of
the entries resulting from the internal search. In this case,
the <attrs> portion of the URI must be absent, and the DNs of
all the entries resulting from the expansion of the URI are
listed as values of this attribute. Compares that assert the
value of the <member-ad> attribute of entries with <group-oc>
objectClass apply as if the DN of the entries resulting from the
expansion of the URI were present in the <group-oc> entry as
values of the <member-ad> attribute.
Alternatively, <mapped-ad>:<member-ad> can be used to remap
attributes obtained through expansion. <member-ad> attributes
are not filled by expanded DN, but are remapped as <mapped-ad>
attributes. Multiple mapping statements can be used.
The dynlist overlay may be used with any backend, but it is mainly
intended for use with local storage backends. In case the URI
expansion is very resource-intensive and occurs frequently with well-
defined patterns, one should consider adding a proxycache later on in
the overlay stack.
By default the expansions are performed using the identity of the
current LDAP user. This identity may be overridden by setting the
dgIdentity attribute to the DN of another LDAP user. In that case the
dgIdentity will be used when expanding the URIs in the object. Setting
the dgIdentity to a zero-length string will cause the expansions to be
performed anonymously. Note that the dgIdentity attribute is defined in
the dyngroup schema, and this schema must be loaded before the
dgIdentity authorization feature may be used.
This example collects all the email addresses of a database into a
single entry; first of all, make sure that slapd.conf contains the
dynlist-attrset groupOfURLs memberURL
and that slapd loads dynlist.la, if compiled as a run-time module; then
add to the database an entry like
dn: cn=Dynamic List,ou=Groups,dc=example,dc=com
cn: Dynamic List
If no <attrs> are provided in the URI, all (non-operational) attributes
This example implements the dynamic group feature on the member
dynlist-attrset groupOfURLs memberURL member
A dynamic group with dgIdentity authorization could be created with an
dn: cn=Dynamic Group,ou=Groups,dc=example,dc=com
cn: Dynamic Group
dgIdentity: cn=Group Proxy,ou=Services,dc=example,dc=com
default slapd configuration file
slapd.conf(5), slapd(8). The slapo-dynlist(5) overlay supports dynamic
configuration via back-config.
This module was written in 2004 by Pierangelo Masarati for SysNet
Attribute remapping was contributed in 2008 by Emmanuel Dreyfus.