openldap/doc/man/man5/slapo-dynlist.5
Quanah Gibson-Mount efaf9a4a17 Happy New Year!
2021-01-11 19:25:53 +00:00

276 lines
8.0 KiB
Groff

.TH SLAPO-DYNLIST 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" Copyright 1998-2021 The OpenLDAP Foundation, All Rights Reserved.
.\" Copying restrictions apply. See the COPYRIGHT file.
.\" $OpenLDAP$
.SH NAME
slapo\-dynlist \- Dynamic List overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
The
.B dynlist
overlay to
.BR slapd (8)
allows expansion of dynamic groups and more.
Any time an entry with a specific objectClass (defined in the overlay configuration) is being returned,
the LDAP URI-valued occurrences of a specific attribute (also defined in the overlay configuration) are
expanded into the corresponding entries, and the values
of the attributes listed in the URI are added to the original
entry.
No recursion is allowed, to avoid potential infinite loops.
The resulting entry must comply with the LDAP data model, so constraints
are enforced.
For example, if a \fISINGLE\-VALUE\fP attribute is listed,
only the first value found during the list expansion appears in the final entry.
All dynamic behavior is disabled when the \fImanageDSAit\fP
control (RFC 3296) is used.
In that case, the contents of the dynamic group entry is returned;
namely, the URLs are returned instead of being expanded.
.SH CONFIGURATION
The config directives that are specific to the
.B dynlist
overlay must be prefixed by
.BR dynlist\- ,
to avoid potential conflicts with directives specific to the underlying
database or to other stacked overlays.
.TP
.B overlay dynlist
This directive adds the dynlist overlay to the current database,
or to the frontend, if used before any database instantiation; see
.BR slapd.conf (5)
for details.
.LP
This
.B slapd.conf
configuration option is defined for the dynlist overlay. It may have multiple
occurrences, and it must appear after the
.B overlay
directive.
.TP
.B dynlist\-attrset <group-oc> [<URI>] <URL-ad> [[<mapped-ad>:]<member-ad>[+<memberOf-ad[@<static-oc>[*]] ...]
The value
.B group\-oc
is the name of the objectClass that triggers the dynamic expansion of the
data.
The optional
.B URI
restricts expansion only to entries matching the \fIDN\fP,
the \fIscope\fP and the \fIfilter\fP portions of the URI.
The value
.B URL-ad
is the name of the attributeDescription that contains the URI that is
expanded by the overlay; if none is present, no expansion occurs.
If the intersection of the attributes requested by the search operation
(or the asserted attribute for compares) and the attributes listed
in the URI is empty, no expansion occurs for that specific URI.
It must be a subtype of \fIlabeledURI\fP.
The value
.B member-ad
is optional; if present, the overlay behaves as a dynamic group: this
attribute will list the DN of the entries resulting from the internal search.
In this case, the \fIattrs\fP portion of the URIs in the
.B URL-ad
attribute must be absent, and the \fIDN\fPs
of all the entries resulting from the expansion of the URIs are listed
as values of this attribute.
Compares that assert the value of the
.B member-ad
attribute of entries with
.B group-oc
objectClass apply as if the DN of the entries resulting from the expansion
of the URI were present in the
.B group-oc
entry as values of the
.B member-ad
attribute.
If the optional
.B memberOf-ad
attribute is also specified, then it will be populated with the DNs of the
dynamic groups that an entry is a member of.
If the optional
.B static-oc
objectClass is also specified, then the memberOf attribute will also be
populated with the DNs of the static groups that an entry is a member of.
If the optional
.B *
character is also specified, then the member and memberOf values will be
populated recursively, for nested groups. Note that currently nesting is
only supported for Search operations, not Compares.
Alternatively,
.B mapped-ad
can be used to remap attributes obtained through expansion.
.B member-ad
attributes are not filled by expanded DN, but are remapped as
.B mapped-ad
attributes. Multiple mapping statements can be used. The
.B memberOf-ad
option is not used in this case.
.LP
The dynlist overlay may be used with any backend, but it is mainly
intended for use with local storage backends.
In case the URI expansion is very resource-intensive and occurs frequently
with well-defined patterns, one should consider adding a proxycache
later on in the overlay stack.
.SH AUTHORIZATION
By default the expansions are performed using the identity of the current
LDAP user.
This identity may be overridden by setting the
.B dgIdentity
attribute in the group's entry to the DN of another LDAP user.
In that case the dgIdentity will be used when expanding the URIs in the object.
Setting the dgIdentity to a zero-length string will cause the expansions
to be performed anonymously.
Note that the dgIdentity attribute is defined in the
.B dyngroup
schema, and this schema must be loaded before the dgIdentity
authorization feature may be used.
If the
.B dgAuthz
attribute is also present in the group's entry, its values are used
to determine what identities are authorized to use the
.B dgIdentity
to expand the group.
Values of the
.B dgAuthz
attribute must conform to the (experimental) \fIOpenLDAP authz\fP syntax.
When using dynamic memberOf in search filters, search access to the
.B entryDN
pseudo-attribute is required.
.SH EXAMPLE
This example collects all the email addresses of a database into a single
entry; first of all, make sure that slapd.conf contains the directives:
.LP
.nf
include /path/to/dyngroup.schema
# ...
database <database>
# ...
overlay dynlist
dynlist\-attrset groupOfURLs memberURL
.fi
.LP
and that slapd loads dynlist.la, if compiled as a run-time module;
then add to the database an entry like
.LP
.nf
dn: cn=Dynamic List,ou=Groups,dc=example,dc=com
objectClass: groupOfURLs
cn: Dynamic List
memberURL: ldap:///ou=People,dc=example,dc=com?mail?sub?(objectClass=person)
.fi
If no <attrs> are provided in the URI, all (non-operational) attributes are
collected.
This example implements the dynamic group feature on the
.B member
attribute:
.LP
.nf
include /path/to/dyngroup.schema
# ...
database <database>
# ...
overlay dynlist
dynlist\-attrset groupOfURLs memberURL member
.fi
.LP
A dynamic group with dgIdentity authorization could be created with an
entry like
.LP
.nf
dn: cn=Dynamic Group,ou=Groups,dc=example,dc=com
objectClass: groupOfURLs
objectClass: dgIdentityAux
cn: Dynamic Group
memberURL: ldap:///ou=People,dc=example,dc=com??sub?(objectClass=person)
dgIdentity: cn=Group Proxy,ou=Services,dc=example,dc=com
.fi
This example extends the dynamic group feature to add a dynamic
.B dgMemberOf
attribute to all the members of a dynamic group:
.LP
.nf
include /path/to/dyngroup.schema
# ...
database <database>
# ...
overlay dynlist
dynlist\-attrset groupOfURLs memberURL member+dgMemberOf
.fi
.LP
This example extends the dynamic memberOf feature to add the
.B memberOf
attribute to all the members of both static and dynamic groups:
.LP
.nf
include /path/to/dyngroup.schema
# ...
database <database>
# ...
overlay dynlist
dynlist\-attrset groupOfURLs memberURL member+memberOf@groupOfNames
.fi
.LP
This dynamic memberOf feature can fully replace the functionality of the
.BR slapo\-memberof (5)
overlay.
.SH FILES
.TP
ETCDIR/slapd.conf
default slapd configuration file
.SH BACKWARD COMPATIBILITY
The dynlist overlay has been reworked with the 2.5 release to use
a consistent namespace as with other overlays. As a side-effect the
following cn=config parameters are deprecated and will be removed in
a future release:
.B olcDlAttrSet
is replaced with olcDynListAttrSet
.B olcDynamicList
is replaced with olcDynListConfig
.SH SEE ALSO
.BR slapd.conf (5),
.BR slapd\-config (5),
.BR slapd (8).
The
.BR slapo\-dynlist (5)
overlay supports dynamic configuration via
.BR back-config .
.SH BUGS
Filtering on dynamic groups may return incomplete results if the
search operation uses the \fIpagedResults\fP control.
.SH ACKNOWLEDGEMENTS
.P
This module was written in 2004 by Pierangelo Masarati for SysNet s.n.c.
.P
Attribute remapping was contributed in 2008 by Emmanuel Dreyfus.