mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-27 03:20:22 +08:00
176 lines
5.2 KiB
Groff
176 lines
5.2 KiB
Groff
.TH SLAPO-DYNLIST 5 "RELEASEDATE" "OpenLDAP LDVERSION"
|
|
.\" Copyright 1998-2007 The OpenLDAP Foundation, All Rights Reserved.
|
|
.\" Copying restrictions apply. See the COPYRIGHT file.
|
|
.\" $OpenLDAP$
|
|
.SH NAME
|
|
slapo-dynlist \- Dynamic List overlay to slapd
|
|
.SH SYNOPSIS
|
|
ETCDIR/slapd.conf
|
|
.SH DESCRIPTION
|
|
The
|
|
.B dynlist
|
|
overlay to
|
|
.BR slapd (8)
|
|
allows expansion of dynamic groups and more.
|
|
Any time an entry with a specific objectClass is being returned,
|
|
the LDAP URI-valued occurrences of a specific attribute are
|
|
expanded into the corresponding entries, and the values
|
|
of the attributes listed in the URI are added to the original
|
|
entry.
|
|
No recursion is allowed, to avoid potential infinite loops.
|
|
The resulting entry must comply with the LDAP data model, so constraints
|
|
are enforced.
|
|
For example, if a \fISINGLE-VALUE\fP attribute is listed,
|
|
only the first value results in the final entry.
|
|
The above described behavior is disabled when the \fImanageDSAit\fP
|
|
control (RFC 3296) is used.
|
|
In that case, the contents of the dynamic group entry is returned;
|
|
namely, the URLs are returned instead of being expanded.
|
|
|
|
.SH CONFIGURATION
|
|
The config directives that are specific to the
|
|
.B dynlist
|
|
overlay must be prefixed by
|
|
.BR dynlist\- ,
|
|
to avoid potential conflicts with directives specific to the underlying
|
|
database or to other stacked overlays.
|
|
|
|
.TP
|
|
.B overlay dynlist
|
|
This directive adds the dynlist overlay to the current database,
|
|
or to the frontend, if used before any database instantiation; see
|
|
.BR slapd.conf (5)
|
|
for details.
|
|
|
|
.LP
|
|
This
|
|
.B slapd.conf
|
|
configuration option is defined for the dynlist overlay. It may have multiple
|
|
occurrences, and it must appear after the
|
|
.B overlay
|
|
directive.
|
|
.TP
|
|
.B dynlist-attrset <group-oc> <URL-ad> [<member-ad>]
|
|
The value
|
|
.B <group-oc>
|
|
is the name of the objectClass that triggers the dynamic expansion of the
|
|
data.
|
|
|
|
The value
|
|
.B <URL-ad>
|
|
is the name of the attributeDescription that contains the URI that is
|
|
expanded by the overlay; if none is present, no expansion occurs.
|
|
If the intersection of the attributes requested by the search operation
|
|
(or the asserted attribute for compares) and the attributes listed
|
|
in the URI is empty, no expansion occurs for that specific URI.
|
|
It must be a subtype of \fIlabeledURI\fP.
|
|
|
|
The value
|
|
.B <member-ad>
|
|
is optional; if present, the overlay behaves as a dynamic group: this
|
|
attribute will list the DN of the entries resulting from the internal search.
|
|
In this case, the <attrs> portion of the URI must be absent, and the DNs
|
|
of all the entries resulting from the expansion of the URI are listed
|
|
as values of this attribute.
|
|
Compares that assert the value of the
|
|
.B <member-ad>
|
|
attribute of entries with
|
|
.B <group-oc>
|
|
objectClass apply as if the DN of the entries resulting from the expansion
|
|
of the URI were present in the
|
|
.B <group-oc>
|
|
entry as values of the
|
|
.B <member-ad>
|
|
attribute.
|
|
.LP
|
|
The dynlist overlay may be used with any backend, but it is mainly
|
|
intended for use with local storage backends.
|
|
In case the URI expansion is very resource-intensive and occurs frequently
|
|
with well-defined patterns, one should consider adding a proxycache
|
|
later on in the overlay stack.
|
|
|
|
.SH AUTHORIZATION
|
|
By default the expansions are performed using the identity of the current
|
|
LDAP user. This identity may be overridden by setting the
|
|
.B dgIdentity
|
|
attribute to the DN of another LDAP user. In that case the dgIdentity
|
|
will be used when expanding the URIs in the object. Setting the dgIdentity
|
|
to a zero-length string will cause the expansions to be performed
|
|
anonymously. Note that the dgIdentity attribute is defined in the
|
|
.B dyngroup
|
|
schema, and this schema must be loaded before the dgIdentity
|
|
authorization feature may be used.
|
|
|
|
.SH EXAMPLE
|
|
This example collects all the email addresses of a database into a single
|
|
entry; first of all, make sure that slapd.conf contains the directives:
|
|
|
|
.LP
|
|
.nf
|
|
include /path/to/dyngroup.schema
|
|
# ...
|
|
|
|
database <database>
|
|
# ...
|
|
|
|
overlay dynlist
|
|
dynlist-attrset groupOfURLs memberURL
|
|
.fi
|
|
.LP
|
|
and that slapd loads dynlist.la, if compiled as a run-time module;
|
|
then add to the database an entry like
|
|
.LP
|
|
.nf
|
|
dn: cn=Dynamic List,ou=Groups,dc=example,dc=com
|
|
objectClass: groupOfURLs
|
|
cn: Dynamic List
|
|
memberURL: ldap:///ou=People,dc=example,dc=com?mail?sub?(objectClass=person)
|
|
.fi
|
|
|
|
If no <attrs> are provided in the URI, all (non-operational) attributes are
|
|
collected.
|
|
|
|
This example implements the dynamic group feature on the
|
|
.B member
|
|
attribute:
|
|
|
|
.LP
|
|
.nf
|
|
include /path/to/dyngroup.schema
|
|
# ...
|
|
|
|
database <database>
|
|
# ...
|
|
|
|
overlay dynlist
|
|
dynlist-attrset groupOfURLs memberURL member
|
|
.fi
|
|
.LP
|
|
|
|
A dynamic group with dgIdentity authorization could be created with an
|
|
entry like
|
|
.LP
|
|
.nf
|
|
dn: cn=Dynamic Group,ou=Groups,dc=example,dc=com
|
|
objectClass: groupOfURLs
|
|
objectClass: dgIdentityAux
|
|
cn: Dynamic Group
|
|
memberURL: ldap:///ou=People,dc=example,dc=com??sub?(objectClass=person)
|
|
dgIdentity: cn=Group Proxy,ou=Services,dc=example,dc=com
|
|
.fi
|
|
|
|
.SH FILES
|
|
.TP
|
|
ETCDIR/slapd.conf
|
|
default slapd configuration file
|
|
.SH SEE ALSO
|
|
.BR slapd.conf (5),
|
|
.BR slapd (8).
|
|
The
|
|
.BR slapo-dynlist (5)
|
|
overlay supports dynamic configuration via
|
|
.BR back-config .
|
|
.SH ACKNOWLEDGEMENTS
|
|
.P
|
|
This module was written in 2004 by Pierangelo Masarati for SysNet s.n.c.
|