.\" Copying restrictions apply. See the COPYRIGHT file.
.\" $OpenLDAP$
.SH NAME
-slapo-dynlist \- Dynamic List overlay
+slapo-dynlist \- Dynamic List overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
are enforced.
For example, if a \fISINGLE-VALUE\fP attribute is listed,
only the first value results in the final entry.
+The above described behavior is disabled when the \fImanageDSAit\fP
+control (RFC 3296) is used.
+In that case, the contents of the dynamic group entry is returned;
+namely, the URLs are returned instead of being expanded.
.SH CONFIGURATION
The config directives that are specific to the
.LP
This
.B slapd.conf
-configuration option is define for the dynlist overlay. It may have multiple
+configuration option is defined for the dynlist overlay. It may have multiple
occurrences, and it must appear after the
.B overlay
directive.
The value
.B <URL-ad>
-is the name of the attributeDescription that cointains the URI that is
+is the name of the attributeDescription that contains the URI that is
expanded by the overlay; if none is present, no expansion occurs.
If the intersection of the attributes requested by the search operation
(or the asserted attribute for compares) and the attributes listed
with well-defined patterns, one should consider adding a proxycache
later on in the overlay stack.
+.SH AUTHORIZATION
+By default the expansions are performed using the identity of the current
+LDAP user. This identity may be overridden by setting the
+.B dgIdentity
+attribute to the DN of another LDAP user. In that case the dgIdentity
+will be used when expanding the URIs in the object. Setting the dgIdentity
+to a zero-length string will cause the expansions to be performed
+anonymously. Note that the dgIdentity attribute is defined in the
+.B dyngroup
+schema, and this schema must be loaded before the dgIdentity
+authorization feature may be used.
+
.SH EXAMPLE
This example collects all the email addresses of a database into a single
entry; first of all, make sure that slapd.conf contains the directives:
.fi
.LP
+A dynamic group with dgIdentity authorization could be created with an
+entry like
+.LP
+.nf
+ dn: cn=Dynamic Group,ou=Groups,dc=example,dc=com
+ objectClass: groupOfURLs
+ objectClass: dgIdentityAux
+ cn: Dynamic Group
+ memberURL: ldap:///ou=People,dc=example,dc=com??sub?(objectClass=person)
+ dgIdentity: cn=Group Proxy,ou=Services,dc=example,dc=com
+.fi
+
.SH FILES
.TP
ETCDIR/slapd.conf