updated replicated directory diagram.

[openldap] / doc / guide / admin / overlays.sdf

diff --git a/doc/guide/admin/overlays.sdf b/doc/guide/admin/overlays.sdf
index 3f6f29f7e64777c5ca0d7d5eecf1c235794db800..be2a972f66a707b2c2f29838dc74a56aeae7764e 100644 (file)
--- a/doc/guide/admin/overlays.sdf
+++ b/doc/guide/admin/overlays.sdf
@@ -347,7 +347,7 @@ H2: Dynamic Directory Services
 
 H3: Overview
 
-The {{dds}} overlay to {{slapd}}(8) implements dynamic objects as per RFC 2589.
+The {{dds}} overlay to {{slapd}}(8) implements dynamic objects as per {{REF:RFC2589}}.
 The name {{dds}} stands for Dynamic Directory Services. It allows to define 
 dynamic objects, characterized by the {{dynamicObject}} objectClass.
 
@@ -362,6 +362,70 @@ deletion, so clients should not count on it.
 
 H3: Dynamic Directory Service Configuration
 
+A usage of dynamic objects might be to implement dynamic meetings; in this case, 
+all the participants to the meeting are allowed to refresh the meeting object, 
+but only the creator can delete it (otherwise it will be deleted when the TTL expires).
+
+If we add the overlay to an example database, specifying a Max TTL of 1 day, a 
+min of 10 seconds, with a default TTL of 1 hour. We'll also specify an interval
+of 120 (less than 60s might be too small) seconds between expiration checks and a 
+tolerance of 5 second (lifetime of a dynamic object will be {{entryTtl + tolerance}}).
+
+>       overlay dds
+>       dds-max-ttl     1d
+>       dds-min-ttl     10s
+>       dds-default-ttl 1h
+>       dds-interval    120s
+>       dds-tolerance   5s
+
+and add an index:
+
+>       entryExpireTimestamp
+
+Creating a meeting is as simple as adding the following:
+
+>       dn: cn=OpenLDAP Documentation Meeting,ou=Meetings,dc=example,dc=com
+>       objectClass: groupOfNames
+>       objectClass: dynamicObject
+>       cn: OpenLDAP Documentation Meeting
+>       member: uid=ghenry,ou=People,dc=example,dc=com
+>       member: uid=hyc,ou=People,dc=example,dc=com
+
+H4: Dynamic Directory Service ACLs
+
+Allow users to start a meeting and to join it; restrict refresh to the {{member}}; 
+restrict delete to the creator:
+
+>       access to attrs=userPassword
+>          by self write
+>          by * read
+>       
+>       access to dn.base="ou=Meetings,dc=example,dc=com"
+>                 attrs=children
+>            by users write
+>       
+>       access to dn.onelevel="ou=Meetings,dc=example,dc=com"
+>                 attrs=entry
+>            by dnattr=creatorsName write
+>            by * read
+>       
+>       access to dn.onelevel="ou=Meetings,dc=example,dc=com"
+>                 attrs=participant
+>            by dnattr=creatorsName write
+>            by users selfwrite
+>            by * read
+>       
+>       access to dn.onelevel="ou=Meetings,dc=example,dc=com"
+>                 attrs=entryTtl
+>            by dnattr=member manage
+>            by * read
+
+In simple terms, the user who created the {{OpenLDAP Documentation Meeting}} can add new attendees, 
+refresh the meeting using (basically complete control):
+
+>       ldapexop -x -H ldap://ldaphost "refresh" "cn=OpenLDAP Documentation Meeting,ou=Meetings,dc=example,dc=com" "120" -D "uid=ghenry,ou=People,dc=example,dc=com" -W
+
+Any user can join the meeting, but not add another attendee, but they can refresh the meeting. The ACLs above are quite straight forward to understand.
 
 H2: Dynamic Groups