Provided by: slapd_2.6.8+dfsg-1~exp4ubuntu3_amd64 
NAME
slapo-autogroup - automatic updates of group memberships which meet the requirements of
any filter contained in the group definition.
SYNOPSIS
In slapd.conf:
...
include ETCDIR/schema/dyngroup.schema
...
moduleload autogroup.so
...
database ...
...
overlay autogroup
autogroup-attrset groupOfURLs memberURL member
DESCRIPTION
The autogroup overlay to slapd(8) allows automated updates of group memberships which meet
the requirements of any filter contained in the group definition. The filters are built
from LDAP URI-valued attributes. Any time an object is added/deleted/updated, it is tested
for compliance with the filters, and its membership is accordingly updated. For searches
and compares, it behaves like a static group. If the attribute part of the URI is filled,
the group entry is populated by the values of this attribute in the entries resulting from
the search.
Note that filters that use attributes that are themselves dynamically computed may not
work consistently, and should be avoided.
CONFIGURATION
Either slapd.conf(5) or the cn=config methodology of slapd-config(5) may be used for
configuring autogroup. Both syntaxes are provided here for convenience:
autogroup-attrset <group-oc> <URL-ad> <member-ad>
olcAutoGroupAttrSet: <group-oc> <URL-ad> <member-ad>
This defines the objectclass-attribute-URI mappings defining the automatically
managed groups, and may appear multiple times.
The value <group-oc> is the name of the objectClass that represents the group.
The value <URL-ad> is the name of the attributeDescription that contains the URI
that is converted to the filters. If no URI is present, there will be no members in
that group. It must be a subtype of labeledURI.
The value <member-ad> is the name of the attributeDescription that specifies the
member attribute. User modification of this attribute is disabled for consistency.
autogroup-memberof-ad <memberof-ad>
olcAutoGroupMemberOfAd <memberof-ad>
This defines the attribute that is used by the memberOf overlay to store the names
of groups that an entry is member of; it must be DN-valued. It should be set to the
same value as memberof-memberof-ad. It defaults to 'memberOf'.
EXAMPLES
As above in SYNOPSIS, or with memberof:
...
include ETCDIR/schema/dyngroup.schema
include ETCDIR/schema/memberof.schema
...
moduleload autogroup.so
moduleload memberof.so
...
database ...
...
overlay memberof
memberof-memberof-ad foo
...
overlay autogroup
autogroup-attrset groupOfURLs memberURL member
autogroup-memberof-ad foo
CAVEATS
As with static groups, update operations on groups with a large number of members may be
slow. If the attribute part of the URI is specified, modify and delete operations are more
difficult to handle. In these cases the overlay will try to detect if groups have been
modified and then simply refresh them. This can cause performance hits if the search
specified by the URI deals with a significant number of entries.
BACKWARD COMPATIBILITY
The autogroup overlay has been reworked with the 2.5 release to use a consistent namespace
as with other overlays. As a side-effect the following cn=config parameters are deprecated
and will be removed in a future release:
• olcAGattrSet is replaced with olcAutoGroupAttrSet
• olcAGmemberOfAd is replaced with olcAutoGroupMemberOfAd
• olcAutomaticGroups is replaced with olcAutoGroupConfig
ACKNOWLEDGEMENTS
This module was originally written in 2007 by Michał Szulczyński. Further enhancements
were contributed by Howard Chu, Raphael Ouazana, Norbert Pueschel, and Christian Manal.
Manpage updates provided by Emily Backes.
SEE ALSO
slapd.conf(5), slapd(8).
Copyrights
Copyright 1998-2024 The OpenLDAP Foundation. Portions Copyright © 2007 Michał
Szulczyński. All rights reserved.