.TH SLAPO-DYNLIST 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2008 The OpenLDAP Foundation, All Rights Reserved.
+.\" Copyright 1998-2011 The OpenLDAP Foundation, All Rights Reserved.
.\" Copying restrictions apply. See the COPYRIGHT file.
.\" $OpenLDAP$
.SH NAME
-slapo-dynlist \- Dynamic List overlay to slapd
+slapo\-dynlist \- Dynamic List overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
No recursion is allowed, to avoid potential infinite loops.
The resulting entry must comply with the LDAP data model, so constraints
are enforced.
-For example, if a \fISINGLE-VALUE\fP attribute is listed,
+For example, if a \fISINGLE\-VALUE\fP attribute is listed,
only the first value results in the final entry.
The above described behavior is disabled when the \fImanageDSAit\fP
control (RFC 3296) is used.
.B overlay
directive.
.TP
-.B dynlist-attrset <group-oc> <URL-ad> [<member-ad>]
+.B dynlist\-attrset <group-oc> [<URI>] <URL-ad> [[<mapped-ad>:]<member-ad> ...]
The value
-.B <group-oc>
+.B group\-oc
is the name of the objectClass that triggers the dynamic expansion of the
data.
+The optional
+.B URI
+restricts expansion only to entries matching the \fIDN\fP,
+the \fIscope\fP and the \fIfilter\fP portions of the URI.
+
The value
-.B <URL-ad>
+.B URL-ad
is the name of the attributeDescription that contains the URI that is
expanded by the overlay; if none is present, no expansion occurs.
If the intersection of the attributes requested by the search operation
It must be a subtype of \fIlabeledURI\fP.
The value
-.B <member-ad>
+.B member-ad
is optional; if present, the overlay behaves as a dynamic group: this
attribute will list the DN of the entries resulting from the internal search.
-In this case, the <attrs> portion of the URI must be absent, and the DNs
-of all the entries resulting from the expansion of the URI are listed
+In this case, the \fIattrs\fP portion of the URIs in the
+.B URL-ad
+attribute must be absent, and the \fIDN\fPs
+of all the entries resulting from the expansion of the URIs are listed
as values of this attribute.
Compares that assert the value of the
-.B <member-ad>
+.B member-ad
attribute of entries with
-.B <group-oc>
+.B group-oc
objectClass apply as if the DN of the entries resulting from the expansion
of the URI were present in the
-.B <group-oc>
+.B group-oc
entry as values of the
-.B <member-ad>
+.B member-ad
attribute.
+
+Alternatively,
+.B mapped-ad
+can be used to remap attributes obtained through expansion.
+.B member-ad
+attributes are not filled by expanded DN, but are remapped as
+.B mapped-ad
+attributes. Multiple mapping statements can be used.
+
.LP
The dynlist overlay may be used with any backend, but it is mainly
intended for use with local storage backends.
.SH AUTHORIZATION
By default the expansions are performed using the identity of the current
-LDAP user. This identity may be overridden by setting the
+LDAP user.
+This identity may be overridden by setting the
.B dgIdentity
-attribute to the DN of another LDAP user. In that case the dgIdentity
-will be used when expanding the URIs in the object. Setting the dgIdentity
-to a zero-length string will cause the expansions to be performed
-anonymously. Note that the dgIdentity attribute is defined in the
+attribute in the group's entry to the DN of another LDAP user.
+In that case the dgIdentity will be used when expanding the URIs in the object.
+Setting the dgIdentity to a zero-length string will cause the expansions
+to be performed anonymously.
+Note that the dgIdentity attribute is defined in the
.B dyngroup
schema, and this schema must be loaded before the dgIdentity
authorization feature may be used.
+If the
+.B dgAuthz
+attribute is also present in the group's entry, its values are used
+to determine what identities are authorized to use the
+.B dgIdentity
+to expand the group.
+Values of the
+.B dgAuthz
+attribute must conform to the (experimental) \fIOpenLDAP authz\fP syntax.
.SH EXAMPLE
This example collects all the email addresses of a database into a single
# ...
overlay dynlist
- dynlist-attrset groupOfURLs memberURL
+ dynlist\-attrset groupOfURLs memberURL
.fi
.LP
and that slapd loads dynlist.la, if compiled as a run-time module;
# ...
overlay dynlist
- dynlist-attrset groupOfURLs memberURL member
+ dynlist\-attrset groupOfURLs memberURL member
.fi
.LP
default slapd configuration file
.SH SEE ALSO
.BR slapd.conf (5),
+.BR slapd\-config (5),
.BR slapd (8).
The
-.BR slapo-dynlist (5)
+.BR slapo\-dynlist (5)
overlay supports dynamic configuration via
.BR back-config .
.SH ACKNOWLEDGEMENTS
.P
This module was written in 2004 by Pierangelo Masarati for SysNet s.n.c.
+.P
+Attribute remapping was contributed in 2008 by Emmanuel Dreyfus.