.TH SLAPO-DYNLIST 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2005 The OpenLDAP Foundation, All Rights Reserved.
+.\" Copyright 1998-2007 The OpenLDAP Foundation, All Rights Reserved.
.\" Copying restrictions apply. See the COPYRIGHT file.
.\" $OpenLDAP$
.SH NAME
-slapo-dynlist \- Dynamic List overlay
+slapo-dynlist \- Dynamic List overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
expanded into the corresponding entries, and the values
of the attributes listed in the URI are added to the original
entry.
-No recursion is currently allowed, to avoid potential infinite loops.
+No recursion is allowed, to avoid potential infinite loops.
+The resulting entry must comply with the LDAP data model, so constraints
+are enforced.
+For example, if a \fISINGLE-VALUE\fP attribute is listed,
+only the first value results in the final entry.
+The above described behavior is disabled when the \fImanageDSAit\fP
+control (RFC 3296) is used.
+In that case, the contents of the dynamic group entry is returned;
+namely, the URLs are returned instead of being expanded.
.SH CONFIGURATION
The config directives that are specific to the
for details.
.LP
-These
+This
.B slapd.conf
-configuration options apply to the dynlist overlay. They must appear
-after the
+configuration option is defined for the dynlist overlay. It may have multiple
+occurrences, and it must appear after the
.B overlay
directive.
.TP
-.B dynlist-oc <objectClass>
-The name of the objectClass that triggers the dynamic expansion of the
-data. This statement is required.
-.TP
-.B dynlist-ad <attributeName>
-The name of the attributeDescription that holds the LDAP URI values that
-will expand; if none is present, no expansion occurs. If the intersection
-of the attributes requested by the search operation (or the asserted attribute
-for compares) and the attributes listed in the URI is empty, no expansion
-occurs for that specific URI. This statement is required.
-.TP
-.B dynlist-member-ad <attributeName>
-The name of the attributeDescription that will list the DN of the entries
-resulting from the internal search. This statement is optional and, if
-present, changes the behavior of the overlay into that of a dynamic group.
-The <attrs> portion of the URI is ignored, and the DNs of all the entries
-resulting from the expansion of the URI are listed as values of this
-attribute.
+.B dynlist-attrset <group-oc> <URL-ad> [<member-ad>]
+The value
+.B <group-oc>
+is the name of the objectClass that triggers the dynamic expansion of the
+data.
+The value
+.B <URL-ad>
+is the name of the attributeDescription that contains the URI that is
+expanded by the overlay; if none is present, no expansion occurs.
+If the intersection of the attributes requested by the search operation
+(or the asserted attribute for compares) and the attributes listed
+in the URI is empty, no expansion occurs for that specific URI.
+It must be a subtype of \fIlabeledURI\fP.
+
+The value
+.B <member-ad>
+is optional; if present, the overlay behaves as a dynamic group: this
+attribute will list the DN of the entries resulting from the internal search.
+In this case, the <attrs> portion of the URI must be absent, and the DNs
+of all the entries resulting from the expansion of the URI are listed
+as values of this attribute.
+Compares that assert the value of the
+.B <member-ad>
+attribute of entries with
+.B <group-oc>
+objectClass apply as if the DN of the entries resulting from the expansion
+of the URI were present in the
+.B <group-oc>
+entry as values of the
+.B <member-ad>
+attribute.
.LP
The dynlist overlay may be used with any backend, but it is mainly
intended for use with local storage backends.
with well-defined patterns, one should consider adding a proxycache
later on in the overlay stack.
+.SH AUTHORIZATION
+By default the expansions are performed using the identity of the current
+LDAP user. This identity may be overridden by setting the
+.B dgIdentity
+attribute to the DN of another LDAP user. In that case the dgIdentity
+will be used when expanding the URIs in the object. Setting the dgIdentity
+to a zero-length string will cause the expansions to be performed
+anonymously. Note that the dgIdentity attribute is defined in the
+.B dyngroup
+schema, and this schema must be loaded before the dgIdentity
+authorization feature may be used.
+
.SH EXAMPLE
This example collects all the email addresses of a database into a single
entry; first of all, make sure that slapd.conf contains the directives:
# ...
overlay dynlist
- dynlist-oc groupOfURLs
- dynlist-ad memberURL
+ dynlist-attrset groupOfURLs memberURL
.fi
.LP
and that slapd loads dynlist.la, if compiled as a run-time module;
If no <attrs> are provided in the URI, all (non-operational) attributes are
collected.
+This example implements the dynamic group feature on the
+.B member
+attribute:
+
+.LP
+.nf
+ include /path/to/dyngroup.schema
+ # ...
+
+ database <database>
+ # ...
+
+ overlay dynlist
+ dynlist-attrset groupOfURLs memberURL member
+.fi
+.LP
+
+A dynamic group with dgIdentity authorization could be created with an
+entry like
+.LP
+.nf
+ dn: cn=Dynamic Group,ou=Groups,dc=example,dc=com
+ objectClass: groupOfURLs
+ objectClass: dgIdentityAux
+ cn: Dynamic Group
+ memberURL: ldap:///ou=People,dc=example,dc=com??sub?(objectClass=person)
+ dgIdentity: cn=Group Proxy,ou=Services,dc=example,dc=com
+.fi
.SH FILES
.TP
.SH SEE ALSO
.BR slapd.conf (5),
.BR slapd (8).
+The
+.BR slapo-dynlist (5)
+overlay supports dynamic configuration via
+.BR back-config .
.SH ACKNOWLEDGEMENTS
.P
This module was written in 2004 by Pierangelo Masarati for SysNet s.n.c.