diff options
Diffstat (limited to 'doc/man/man5/slapo-dynlist.5')
-rw-r--r-- | doc/man/man5/slapo-dynlist.5 | 275 |
1 files changed, 275 insertions, 0 deletions
diff --git a/doc/man/man5/slapo-dynlist.5 b/doc/man/man5/slapo-dynlist.5 new file mode 100644 index 0000000..db00312 --- /dev/null +++ b/doc/man/man5/slapo-dynlist.5 @@ -0,0 +1,275 @@ +.TH SLAPO-DYNLIST 5 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 1998-2022 The OpenLDAP Foundation, All Rights Reserved. +.\" Copying restrictions apply. See the COPYRIGHT file. +.\" $OpenLDAP$ +.SH NAME +slapo\-dynlist \- Dynamic List overlay to slapd +.SH SYNOPSIS +ETCDIR/slapd.conf +.SH DESCRIPTION +The +.B dynlist +overlay to +.BR slapd (8) +allows expansion of dynamic groups and more. +Any time an entry with a specific objectClass (defined in the overlay configuration) is being returned, +the LDAP URI-valued occurrences of a specific attribute (also defined in the overlay configuration) are +expanded into the corresponding entries, and the values +of the attributes listed in the URI are added to the original +entry. +No recursion is allowed, to avoid potential infinite loops. + +The resulting entry must comply with the LDAP data model, so constraints +are enforced. +For example, if a \fISINGLE\-VALUE\fP attribute is listed, +only the first value found during the list expansion appears in the final entry. +All dynamic behavior is disabled when the \fImanageDSAit\fP +control (RFC 3296) is used. +In that case, the contents of the dynamic group entry is returned; +namely, the URLs are returned instead of being expanded. + +.SH CONFIGURATION +The config directives that are specific to the +.B dynlist +overlay must be prefixed by +.BR dynlist\- , +to avoid potential conflicts with directives specific to the underlying +database or to other stacked overlays. + +.TP +.B overlay dynlist +This directive adds the dynlist overlay to the current database, +or to the frontend, if used before any database instantiation; see +.BR slapd.conf (5) +for details. + +.LP +This +.B slapd.conf +configuration option is defined for the dynlist overlay. It may have multiple +occurrences, and it must appear after the +.B overlay +directive. +.TP +.B dynlist\-attrset <group-oc> [<URI>] <URL-ad> [[<mapped-ad>:]<member-ad>[+<memberOf-ad[@<static-oc>[*]] ...] +The value +.B group\-oc +is the name of the objectClass that triggers the dynamic expansion of the +data. + +The optional +.B URI +restricts expansion only to entries matching the \fIDN\fP, +the \fIscope\fP and the \fIfilter\fP portions of the URI. + +The value +.B URL-ad +is the name of the attributeDescription that contains the URI that is +expanded by the overlay; if none is present, no expansion occurs. +If the intersection of the attributes requested by the search operation +(or the asserted attribute for compares) and the attributes listed +in the URI is empty, no expansion occurs for that specific URI. +It must be a subtype of \fIlabeledURI\fP. + +The value +.B member-ad +is optional; if present, the overlay behaves as a dynamic group: this +attribute will list the DN of the entries resulting from the internal search. +In this case, the \fIattrs\fP portion of the URIs in the +.B URL-ad +attribute must be absent, and the \fIDN\fPs +of all the entries resulting from the expansion of the URIs are listed +as values of this attribute. +Compares that assert the value of the +.B member-ad +attribute of entries with +.B group-oc +objectClass apply as if the DN of the entries resulting from the expansion +of the URI were present in the +.B group-oc +entry as values of the +.B member-ad +attribute. +If the optional +.B memberOf-ad +attribute is also specified, then it will be populated with the DNs of the +dynamic groups that an entry is a member of. +If the optional +.B static-oc +objectClass is also specified, then the memberOf attribute will also be +populated with the DNs of the static groups that an entry is a member of. +If the optional +.B * +character is also specified, then the member and memberOf values will be +populated recursively, for nested groups. Note that currently nesting is +only supported for Search operations, not Compares. + +Alternatively, +.B mapped-ad +can be used to remap attributes obtained through expansion. +.B member-ad +attributes are not filled by expanded DN, but are remapped as +.B mapped-ad +attributes. Multiple mapping statements can be used. The +.B memberOf-ad +option is not used in this case. + +.LP +The dynlist overlay may be used with any backend, but it is mainly +intended for use with local storage backends. +In case the URI expansion is very resource-intensive and occurs frequently +with well-defined patterns, one should consider adding a proxycache +later on in the overlay stack. + +.SH AUTHORIZATION +By default the expansions are performed using the identity of the current +LDAP user. +This identity may be overridden by setting the +.B dgIdentity +attribute in the group's entry to the DN of another LDAP user. +In that case the dgIdentity will be used when expanding the URIs in the object. +Setting the dgIdentity to a zero-length string will cause the expansions +to be performed anonymously. +Note that the dgIdentity attribute is defined in the +.B dyngroup +schema, and this schema must be loaded before the dgIdentity +authorization feature may be used. +If the +.B dgAuthz +attribute is also present in the group's entry, its values are used +to determine what identities are authorized to use the +.B dgIdentity +to expand the group. +Values of the +.B dgAuthz +attribute must conform to the (experimental) \fIOpenLDAP authz\fP syntax. +When using dynamic memberOf in search filters, search access to the +.B entryDN +pseudo-attribute is required. + +.SH EXAMPLE +This example collects all the email addresses of a database into a single +entry; first of all, make sure that slapd.conf contains the directives: + +.LP +.nf + include /path/to/dyngroup.schema + # ... + + database <database> + # ... + + overlay dynlist + dynlist\-attrset groupOfURLs memberURL +.fi +.LP +and that slapd loads dynlist.la, if compiled as a run-time module; +then add to the database an entry like +.LP +.nf + dn: cn=Dynamic List,ou=Groups,dc=example,dc=com + objectClass: groupOfURLs + cn: Dynamic List + memberURL: ldap:///ou=People,dc=example,dc=com?mail?sub?(objectClass=person) +.fi + +If no <attrs> are provided in the URI, all (non-operational) attributes are +collected. + +This example implements the dynamic group feature on the +.B member +attribute: + +.LP +.nf + include /path/to/dyngroup.schema + # ... + + database <database> + # ... + + overlay dynlist + dynlist\-attrset groupOfURLs memberURL member +.fi +.LP + +A dynamic group with dgIdentity authorization could be created with an +entry like +.LP +.nf + dn: cn=Dynamic Group,ou=Groups,dc=example,dc=com + objectClass: groupOfURLs + objectClass: dgIdentityAux + cn: Dynamic Group + memberURL: ldap:///ou=People,dc=example,dc=com??sub?(objectClass=person) + dgIdentity: cn=Group Proxy,ou=Services,dc=example,dc=com +.fi + + +This example extends the dynamic group feature to add a dynamic +.B dgMemberOf +attribute to all the members of a dynamic group: +.LP +.nf + include /path/to/dyngroup.schema + # ... + + database <database> + # ... + + overlay dynlist + dynlist\-attrset groupOfURLs memberURL member+dgMemberOf +.fi +.LP + + +This example extends the dynamic memberOf feature to add the +.B memberOf +attribute to all the members of both static and dynamic groups: +.LP +.nf + include /path/to/dyngroup.schema + # ... + + database <database> + # ... + + overlay dynlist + dynlist\-attrset groupOfURLs memberURL member+memberOf@groupOfNames +.fi +.LP +This dynamic memberOf feature can fully replace the functionality of the +.BR slapo\-memberof (5) +overlay. + +.SH FILES +.TP +ETCDIR/slapd.conf +default slapd configuration file +.SH BACKWARD COMPATIBILITY +The dynlist overlay has been reworked with the 2.5 release to use +a consistent namespace as with other overlays. As a side-effect the +following cn=config parameters are deprecated and will be removed in +a future release: +.B olcDlAttrSet +is replaced with olcDynListAttrSet +.B olcDynamicList +is replaced with olcDynListConfig +.SH SEE ALSO +.BR slapd.conf (5), +.BR slapd\-config (5), +.BR slapd (8). +The +.BR slapo\-dynlist (5) +overlay supports dynamic configuration via +.BR back-config . + +.SH BUGS +Filtering on dynamic groups may return incomplete results if the +search operation uses the \fIpagedResults\fP control. + +.SH ACKNOWLEDGEMENTS +.P +This module was written in 2004 by Pierangelo Masarati for SysNet s.n.c. +.P +Attribute remapping was contributed in 2008 by Emmanuel Dreyfus. |