Section (5) slapo-dynlist
Name
slapo−dynlist — Dynamic List overlay to slapd
Synopsis
ETCDIR/slapd.conf
DESCRIPTION
The dynlist
overlay to slapd(8) allows expansion
of dynamic groups and more. Any time an entry with a specific
objectClass (defined in the overlay configuration) is being
returned, the LDAP URI-valued occurrences of a specific
attribute (also defined in the overlay configuration) are
expanded into the corresponding entries, and the values of
the attributes listed in the URI are added to the original
entry. No recursion is allowed, to avoid potential infinite
loops.
Since the resulting entry is dynamically constructed, it does not exist until it is constructed while being returned. As a consequence, dynamically added attributes do not participate in the filter matching phase of the search request handling. In other words, filtering for dynamically added attributes always fails.
The resulting entry must comply with the LDAP data model,
so constraints are enforced. For example, if a SINGLE−VALUE
attribute
is listed, only the first value found during the list
expansion appears in the final entry. The above described
behavior is disabled when the manageDSAit
control (RFC
3296) is used. In that case, the contents of the dynamic
group entry is returned; namely, the URLs are returned
instead of being expanded.
CONFIGURATION
The config directives that are specific to the dynlist
overlay must be
prefixed by dynlist−
, to avoid
potential conflicts with directives specific to the
underlying database or to other stacked overlays.
- verlay dynlist
-
This directive adds the dynlist overlay to the current database, or to the frontend, if used before any database instantiation; see slapd.conf(5) for details.
This
slapd.conf
configuration option is defined for the dynlist overlay. It may have multiple occurrences, and it must appear after theoverlay
directive. - dynlist−attrset <group-oc> [<URI>] <URL-ad> [[<mapped-ad>:]<member-ad> ...]
-
The value
group−oc
is the name of the objectClass that triggers the dynamic expansion of the data.The optional
URI
restricts expansion only to entries matching theDN
, thescope
and thefilter
portions of the URI.The value
URL-ad
is the name of the attributeDescription that contains the URI that is expanded by the overlay; if none is present, no expansion occurs. If the intersection of the attributes requested by the search operation (or the asserted attribute for compares) and the attributes listed in the URI is empty, no expansion occurs for that specific URI. It must be a subtype oflabeledURI
.The value
member-ad
is optional; if present, the overlay behaves as a dynamic group: this attribute will list the DN of the entries resulting from the internal search. In this case, theattrs
portion of the URIs in theURL-ad
attribute must be absent, and theDN
s of all the entries resulting from the expansion of the URIs are listed as values of this attribute. Compares that assert the value of themember-ad
attribute of entries withgroup-oc
objectClass apply as if the DN of the entries resulting from the expansion of the URI were present in thegroup-oc
entry as values of themember-ad
attribute.Alternatively,
mapped-ad
can be used to remap attributes obtained through expansion.member-ad
attributes are not filled by expanded DN, but are remapped asmapped-ad
attributes. Multiple mapping statements can be used.The dynlist overlay may be used with any backend, but it is mainly intended for use with local storage backends. In case the URI expansion is very resource-intensive and occurs frequently with well-defined patterns, one should consider adding a proxycache later on in the overlay stack.
AUTHORIZATION
By default the expansions are performed using the identity
of the current LDAP user. This identity may be overridden by
setting the dgIdentity
attribute in the
group_zsingle_quotesz_s entry to the DN of another LDAP user. In that case
the dgIdentity will be used when expanding the URIs in the
object. Setting the dgIdentity to a zero-length string will
cause the expansions to be performed anonymously. Note that
the dgIdentity attribute is defined in the dyngroup
schema, and this
schema must be loaded before the dgIdentity authorization
feature may be used. If the dgAuthz
attribute is also
present in the group_zsingle_quotesz_s entry, its values are used to
determine what identities are authorized to use the
dgIdentity
to
expand the group. Values of the dgAuthz
attribute must
conform to the (experimental) OpenLDAP authz syntax.
EXAMPLE
This example collects all the email addresses of a database into a single entry; first of all, make sure that slapd.conf contains the directives:
include /path/to/dyngroup.schema # ... database <database> # ... overlay dynlist dynlist−attrset groupOfURLs memberURL
and that slapd loads dynlist.la, if compiled as a run-time module; then add to the database an entry like
dn: cn=Dynamic List,ou=Groups,dc=example,dc=com objectClass: groupOfURLs cn: Dynamic List memberURL: ldap:///ou=People,dc=example,dc=com?mail?sub?(objectClass=person)
If no <attrs> are provided in the URI, all (non-operational) attributes are collected.
This example implements the dynamic group feature on the
member
attribute:
include /path/to/dyngroup.schema # ... database <database> # ... overlay dynlist dynlist−attrset groupOfURLs memberURL member
A dynamic group with dgIdentity authorization could be created with an entry like
dn: cn=Dynamic Group,ou=Groups,dc=example,dc=com objectClass: groupOfURLs objectClass: dgIdentityAux cn: Dynamic Group memberURL: ldap:///ou=People,dc=example,dc=com??sub?(objectClass=person) dgIdentity: cn=Group Proxy,ou=Services,dc=example,dc=com
SEE ALSO
slapd.conf(5), slapd-config(5), slapd(8). The slapo-dynlist(5) overlay
supports dynamic configuration via back-config
.