# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2009 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
# between structural and auxiliary classes. This fact is noted here:
# http://forum.java.sun.com/thread.jspa?threadID=5016864&messageID=9034636
#
-# In accordance with the actual usage in practice, we define it as an
-# auxiliary class.
+# In accordance with other existing implementations, we define it as a
+# structural class.
#
# Our definition of memberURL also does not match theirs but again
# their published definition and what works in practice do not agree.
# In other words, the Netscape definitions are broken and interoperability
# is not guaranteed.
#
-# Also see the new DynGroup prposed spec at
+# Also see the new DynGroup proposed spec at
# http://tools.ietf.org/html/draft-haripriya-dynamicgroup-02
objectIdentifier NetscapeRoot 2.16.840.1.113730
DESC 'Identity to use when processing the memberURL'
SUP distinguishedName SINGLE-VALUE )
+attributeType ( DynGroupAttr:2
+ NAME 'dgAuthz'
+ DESC 'Optional authorization rules that determine who is allowed to assume the dgIdentity'
+ EQUALITY authzMatch
+ SYNTAX 1.3.6.1.4.1.4203.666.2.7
+ X-ORDERED 'VALUES' )
+
objectClass ( NetscapeLDAPobjectClass:33
NAME 'groupOfURLs'
SUP top STRUCTURAL
objectClass ( DynGroupOC:1
NAME 'dgIdentityAux'
SUP top AUXILIARY
- MAY dgIdentity )
+ MAY ( dgIdentity $ dgAuthz ) )
+
+