mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
121 lines
4.0 KiB
Plaintext
121 lines
4.0 KiB
Plaintext
autogroup overlay Readme
|
|
|
|
DESCRIPTION
|
|
The autogroup overlay allows automated updates of group memberships which
|
|
meet the requirements of any filter contained in the group definition.
|
|
The filters are built from LDAP URI-valued attributes. Any time an object
|
|
is added/deleted/updated, it is tested for compliance with the filters,
|
|
and its membership is accordingly updated. For searches and compares
|
|
it behaves like a static group.
|
|
If the attribute part of the URI is filled, the group entry is populated
|
|
by the values of this attribute in the entries resulting from the search.
|
|
|
|
BUILDING
|
|
A Makefile is included.
|
|
|
|
CONFIGURATION
|
|
# dyngroup.schema:
|
|
The dyngroup schema must be modified, adding the 'member' attribute
|
|
to the MAY clause of the groupOfURLs object class, i.e.:
|
|
|
|
objectClass ( NetscapeLDAPobjectClass:33
|
|
NAME 'groupOfURLs'
|
|
SUP top STRUCTURAL
|
|
MUST cn
|
|
MAY ( memberURL $ businessCategory $ description $ o $ ou $
|
|
owner $ seeAlso $ member) )
|
|
|
|
|
|
# slapd.conf:
|
|
|
|
moduleload /path/to/autogroup.so
|
|
Loads the overlay (OpenLDAP must be built with --enable-modules).
|
|
|
|
overlay autogroup
|
|
This directive adds the autogroup overlay to the current database.
|
|
|
|
autogroup-attrset <group-oc> <URL-ad> <member-ad>
|
|
This configuration option is defined for the autogroup overlay.
|
|
It may have multiple occurrences, and it must appear after the
|
|
overlay directive.
|
|
|
|
The value <group-oc> is the name of the objectClass that represents
|
|
the group.
|
|
|
|
The value <URL-ad> is the name of the attributeDescription that
|
|
contains the URI that is converted to the filters. If no URI is
|
|
present, there will be no members in that group. It must be a subtype
|
|
of labeledURI.
|
|
|
|
The value <member-ad> is the name of the attributeDescription that
|
|
specifies the member attribute. User modification of this attribute
|
|
is disabled for consistency.
|
|
|
|
autogroup-memberof-ad <memberof-ad>
|
|
This configuration option is defined for the autogroup overlay.
|
|
|
|
It defines the attribute that is used by the memberOf overlay
|
|
to store the names of groups that an entry is member of; it must be
|
|
DN-valued. It should be set to the same value as
|
|
memberof-memberof-ad. It defaults to 'memberOf'.
|
|
|
|
|
|
EXAMPLE
|
|
### slapd.conf
|
|
include /path/to/dyngroup.schema
|
|
# ...
|
|
moduleload /path/to/autogroup.so
|
|
# ...
|
|
|
|
database <database>
|
|
# ...
|
|
|
|
overlay autogroup
|
|
autogroup-attrset groupOfURLs memberURL member
|
|
### end slapd.conf
|
|
|
|
### slapd.conf
|
|
include /path/to/dyngroup.schema
|
|
# ...
|
|
moduleload /path/to/autogroup.so
|
|
moduleload /path/to/memberof.so
|
|
# ...
|
|
|
|
database <database>
|
|
#...
|
|
|
|
overlay memberof
|
|
memberof-memberof-ad foo
|
|
|
|
overlay autogroup
|
|
autogroup-attrset groupOfURLs memberURL member
|
|
autogroup-memberof-ad foo
|
|
### end slapd.conf
|
|
|
|
CAVEATS
|
|
As with static groups, update operations on groups with a large number
|
|
of members may be slow.
|
|
If the attribute part of the URI is specified, modify and delete operations
|
|
are more difficult to handle. In these cases the overlay will try to detect
|
|
if groups have been modified and then simply refresh them. This can cause
|
|
performance hits if the search specified by the URI deals with a significant
|
|
number of entries.
|
|
|
|
ACKNOWLEDGEMENTS
|
|
This module was originally written in 2007 by Michał Szulczyński. Further
|
|
enhancements were contributed by Howard Chu, Raphael Ouazana,
|
|
Norbert Pueschel, and Christian Manal.
|
|
|
|
---
|
|
Copyright 1998-2011 The OpenLDAP Foundation.
|
|
Portions Copyright (C) 2007 Michał Szulczyński.
|
|
All rights reserved.
|
|
|
|
Redistribution and use in source and binary forms, with or without
|
|
modification, are permitted only as authorized by the OpenLDAP
|
|
Public License.
|
|
|
|
A copy of this license is available in file LICENSE in the
|
|
top-level directory of the distribution or, alternatively, at
|
|
http://www.OpenLDAP.org/license.html.
|