mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-27 03:20:22 +08:00
276 lines
8.0 KiB
Groff
276 lines
8.0 KiB
Groff
.TH SLAPO-DYNLIST 5 "RELEASEDATE" "OpenLDAP LDVERSION"
|
|
.\" Copyright 1998-2021 The OpenLDAP Foundation, All Rights Reserved.
|
|
.\" Copying restrictions apply. See the COPYRIGHT file.
|
|
.\" $OpenLDAP$
|
|
.SH NAME
|
|
slapo\-dynlist \- Dynamic List overlay to slapd
|
|
.SH SYNOPSIS
|
|
ETCDIR/slapd.conf
|
|
.SH DESCRIPTION
|
|
The
|
|
.B dynlist
|
|
overlay to
|
|
.BR slapd (8)
|
|
allows expansion of dynamic groups and more.
|
|
Any time an entry with a specific objectClass (defined in the overlay configuration) is being returned,
|
|
the LDAP URI-valued occurrences of a specific attribute (also defined in the overlay configuration) are
|
|
expanded into the corresponding entries, and the values
|
|
of the attributes listed in the URI are added to the original
|
|
entry.
|
|
No recursion is allowed, to avoid potential infinite loops.
|
|
|
|
The resulting entry must comply with the LDAP data model, so constraints
|
|
are enforced.
|
|
For example, if a \fISINGLE\-VALUE\fP attribute is listed,
|
|
only the first value found during the list expansion appears in the final entry.
|
|
All dynamic behavior is disabled when the \fImanageDSAit\fP
|
|
control (RFC 3296) is used.
|
|
In that case, the contents of the dynamic group entry is returned;
|
|
namely, the URLs are returned instead of being expanded.
|
|
|
|
.SH CONFIGURATION
|
|
The config directives that are specific to the
|
|
.B dynlist
|
|
overlay must be prefixed by
|
|
.BR dynlist\- ,
|
|
to avoid potential conflicts with directives specific to the underlying
|
|
database or to other stacked overlays.
|
|
|
|
.TP
|
|
.B overlay dynlist
|
|
This directive adds the dynlist overlay to the current database,
|
|
or to the frontend, if used before any database instantiation; see
|
|
.BR slapd.conf (5)
|
|
for details.
|
|
|
|
.LP
|
|
This
|
|
.B slapd.conf
|
|
configuration option is defined for the dynlist overlay. It may have multiple
|
|
occurrences, and it must appear after the
|
|
.B overlay
|
|
directive.
|
|
.TP
|
|
.B dynlist\-attrset <group-oc> [<URI>] <URL-ad> [[<mapped-ad>:]<member-ad>[+<memberOf-ad[@<static-oc>[*]] ...]
|
|
The value
|
|
.B group\-oc
|
|
is the name of the objectClass that triggers the dynamic expansion of the
|
|
data.
|
|
|
|
The optional
|
|
.B URI
|
|
restricts expansion only to entries matching the \fIDN\fP,
|
|
the \fIscope\fP and the \fIfilter\fP portions of the URI.
|
|
|
|
The value
|
|
.B URL-ad
|
|
is the name of the attributeDescription that contains the URI that is
|
|
expanded by the overlay; if none is present, no expansion occurs.
|
|
If the intersection of the attributes requested by the search operation
|
|
(or the asserted attribute for compares) and the attributes listed
|
|
in the URI is empty, no expansion occurs for that specific URI.
|
|
It must be a subtype of \fIlabeledURI\fP.
|
|
|
|
The value
|
|
.B member-ad
|
|
is optional; if present, the overlay behaves as a dynamic group: this
|
|
attribute will list the DN of the entries resulting from the internal search.
|
|
In this case, the \fIattrs\fP portion of the URIs in the
|
|
.B URL-ad
|
|
attribute must be absent, and the \fIDN\fPs
|
|
of all the entries resulting from the expansion of the URIs are listed
|
|
as values of this attribute.
|
|
Compares that assert the value of the
|
|
.B member-ad
|
|
attribute of entries with
|
|
.B group-oc
|
|
objectClass apply as if the DN of the entries resulting from the expansion
|
|
of the URI were present in the
|
|
.B group-oc
|
|
entry as values of the
|
|
.B member-ad
|
|
attribute.
|
|
If the optional
|
|
.B memberOf-ad
|
|
attribute is also specified, then it will be populated with the DNs of the
|
|
dynamic groups that an entry is a member of.
|
|
If the optional
|
|
.B static-oc
|
|
objectClass is also specified, then the memberOf attribute will also be
|
|
populated with the DNs of the static groups that an entry is a member of.
|
|
If the optional
|
|
.B *
|
|
character is also specified, then the member and memberOf values will be
|
|
populated recursively, for nested groups. Note that currently nesting is
|
|
only supported for Search operations, not Compares.
|
|
|
|
Alternatively,
|
|
.B mapped-ad
|
|
can be used to remap attributes obtained through expansion.
|
|
.B member-ad
|
|
attributes are not filled by expanded DN, but are remapped as
|
|
.B mapped-ad
|
|
attributes. Multiple mapping statements can be used. The
|
|
.B memberOf-ad
|
|
option is not used in this case.
|
|
|
|
.LP
|
|
The dynlist overlay may be used with any backend, but it is mainly
|
|
intended for use with local storage backends.
|
|
In case the URI expansion is very resource-intensive and occurs frequently
|
|
with well-defined patterns, one should consider adding a proxycache
|
|
later on in the overlay stack.
|
|
|
|
.SH AUTHORIZATION
|
|
By default the expansions are performed using the identity of the current
|
|
LDAP user.
|
|
This identity may be overridden by setting the
|
|
.B dgIdentity
|
|
attribute in the group's entry to the DN of another LDAP user.
|
|
In that case the dgIdentity will be used when expanding the URIs in the object.
|
|
Setting the dgIdentity to a zero-length string will cause the expansions
|
|
to be performed anonymously.
|
|
Note that the dgIdentity attribute is defined in the
|
|
.B dyngroup
|
|
schema, and this schema must be loaded before the dgIdentity
|
|
authorization feature may be used.
|
|
If the
|
|
.B dgAuthz
|
|
attribute is also present in the group's entry, its values are used
|
|
to determine what identities are authorized to use the
|
|
.B dgIdentity
|
|
to expand the group.
|
|
Values of the
|
|
.B dgAuthz
|
|
attribute must conform to the (experimental) \fIOpenLDAP authz\fP syntax.
|
|
When using dynamic memberOf in search filters, search access to the
|
|
.B entryDN
|
|
pseudo-attribute is required.
|
|
|
|
.SH EXAMPLE
|
|
This example collects all the email addresses of a database into a single
|
|
entry; first of all, make sure that slapd.conf contains the directives:
|
|
|
|
.LP
|
|
.nf
|
|
include /path/to/dyngroup.schema
|
|
# ...
|
|
|
|
database <database>
|
|
# ...
|
|
|
|
overlay dynlist
|
|
dynlist\-attrset groupOfURLs memberURL
|
|
.fi
|
|
.LP
|
|
and that slapd loads dynlist.la, if compiled as a run-time module;
|
|
then add to the database an entry like
|
|
.LP
|
|
.nf
|
|
dn: cn=Dynamic List,ou=Groups,dc=example,dc=com
|
|
objectClass: groupOfURLs
|
|
cn: Dynamic List
|
|
memberURL: ldap:///ou=People,dc=example,dc=com?mail?sub?(objectClass=person)
|
|
.fi
|
|
|
|
If no <attrs> are provided in the URI, all (non-operational) attributes are
|
|
collected.
|
|
|
|
This example implements the dynamic group feature on the
|
|
.B member
|
|
attribute:
|
|
|
|
.LP
|
|
.nf
|
|
include /path/to/dyngroup.schema
|
|
# ...
|
|
|
|
database <database>
|
|
# ...
|
|
|
|
overlay dynlist
|
|
dynlist\-attrset groupOfURLs memberURL member
|
|
.fi
|
|
.LP
|
|
|
|
A dynamic group with dgIdentity authorization could be created with an
|
|
entry like
|
|
.LP
|
|
.nf
|
|
dn: cn=Dynamic Group,ou=Groups,dc=example,dc=com
|
|
objectClass: groupOfURLs
|
|
objectClass: dgIdentityAux
|
|
cn: Dynamic Group
|
|
memberURL: ldap:///ou=People,dc=example,dc=com??sub?(objectClass=person)
|
|
dgIdentity: cn=Group Proxy,ou=Services,dc=example,dc=com
|
|
.fi
|
|
|
|
|
|
This example extends the dynamic group feature to add a dynamic
|
|
.B dgMemberOf
|
|
attribute to all the members of a dynamic group:
|
|
.LP
|
|
.nf
|
|
include /path/to/dyngroup.schema
|
|
# ...
|
|
|
|
database <database>
|
|
# ...
|
|
|
|
overlay dynlist
|
|
dynlist\-attrset groupOfURLs memberURL member+dgMemberOf
|
|
.fi
|
|
.LP
|
|
|
|
|
|
This example extends the dynamic memberOf feature to add the
|
|
.B memberOf
|
|
attribute to all the members of both static and dynamic groups:
|
|
.LP
|
|
.nf
|
|
include /path/to/dyngroup.schema
|
|
# ...
|
|
|
|
database <database>
|
|
# ...
|
|
|
|
overlay dynlist
|
|
dynlist\-attrset groupOfURLs memberURL member+memberOf@groupOfNames
|
|
.fi
|
|
.LP
|
|
This dynamic memberOf feature can fully replace the functionality of the
|
|
.BR slapo\-memberof (5)
|
|
overlay.
|
|
|
|
.SH FILES
|
|
.TP
|
|
ETCDIR/slapd.conf
|
|
default slapd configuration file
|
|
.SH BACKWARD COMPATIBILITY
|
|
The dynlist overlay has been reworked with the 2.5 release to use
|
|
a consistent namespace as with other overlays. As a side-effect the
|
|
following cn=config parameters are deprecated and will be removed in
|
|
a future release:
|
|
.B olcDlAttrSet
|
|
is replaced with olcDynListAttrSet
|
|
.B olcDynamicList
|
|
is replaced with olcDynListConfig
|
|
.SH SEE ALSO
|
|
.BR slapd.conf (5),
|
|
.BR slapd\-config (5),
|
|
.BR slapd (8).
|
|
The
|
|
.BR slapo\-dynlist (5)
|
|
overlay supports dynamic configuration via
|
|
.BR back-config .
|
|
|
|
.SH BUGS
|
|
Filtering on dynamic groups may return incomplete results if the
|
|
search operation uses the \fIpagedResults\fP control.
|
|
|
|
.SH ACKNOWLEDGEMENTS
|
|
.P
|
|
This module was written in 2004 by Pierangelo Masarati for SysNet s.n.c.
|
|
.P
|
|
Attribute remapping was contributed in 2008 by Emmanuel Dreyfus.
|