1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
.TH SLAPO-AUTOGROUP 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" Copyright 1998-2022 The OpenLDAP Foundation All Rights Reserved.
.\" Portions Copyright \[u00A9] 2007 Michał Szulczyński.
.\" Copying restrictions apply. See the COPYRIGHT file.
.\" $OpenLDAP$
.SH NAME
\FCslapo-autogroup\FT \- automatic updates of group memberships which meet the
requirements of any filter contained in the group definition.
.SH SYNOPSIS
In \FCslapd.conf\FT:
...
\FCinclude ETCDIR/schema/dyngroup.schema\FT
...
\FCmoduleload autogroup.so\FT
...
\FCdatabase\FT ...
...
\FCoverlay autogroup\FT
\FCautogroup-attrset groupOfURLs memberURL member\FT
.SH DESCRIPTION
The
.B autogroup
overlay to
.BR slapd (8)
allows automated updates of group memberships which meet the requirements
of any filter contained in the group definition. The filters are built from
LDAP URI-valued attributes. Any time an object is added/deleted/updated, it is
tested for compliance with the filters, and its membership is accordingly
updated. For searches and compares, it behaves like a static group.
If the attribute part of the URI is filled, the group entry is populated by
the values of this attribute in the entries resulting from the search.
.SH CONFIGURATION
Either
.BR \FCslapd.conf\FT (5)
or the \FCcn=config\FT methodology of
.BR \FCslapd-config\FT (5)
may be used for configuring autogroup. Both syntaxes are provided
here for convenience:
.TP
.B \FCautogroup-attrset\FT <group-oc> <URL-ad> <member-ad>
.TP
.B \FColcAutoGroupAttrSet:\FT <group-oc> <URL-ad> <member-ad>
This defines the objectclass-attribute-URI mappings defining the
automatically managed groups, and may appear multiple times.
The value <group-oc> is the name of the objectClass that represents
the group.
The value <URL-ad> is the name of the attributeDescription that
contains the URI that is converted to the filters. If no URI is
present, there will be no members in that group. It must be a subtype
of labeledURI.
The value <member-ad> is the name of the attributeDescription that
specifies the member attribute. User modification of this attribute is
disabled for consistency.
.TP
.B \FCautogroup-memberof-ad\FT <memberof-ad>
.TP
.B \FColcAutoGroupMemberOfAd\FT <memberof-ad>
This defines the attribute that is used by the memberOf overlay to
store the names of groups that an entry is member of; it must be
DN-valued. It should be set to the same value as
memberof-memberof-ad. It defaults to 'memberOf'.
.SH EXAMPLES
As above in SYNOPSIS, or with memberof:
...
\FCinclude ETCDIR/schema/dyngroup.schema\FT
\FCinclude ETCDIR/schema/memberof.schema\FT
...
\FCmoduleload autogroup.so\FT
\FCmoduleload memberof.so\FT
...
\FCdatabase\FT ...
...
\FCoverlay memberof\FT
\FCmemberof-memberof-ad\FT foo
...
\FCoverlay autogroup\FT
\FCautogroup-attrset groupOfURLs memberURL member\FT
\FCautogroup-memberof-ad\FT foo
.SH CAVEATS
As with static groups, update operations on groups with a large number
of members may be slow. If the attribute part of the URI is specified,
modify and delete operations are more difficult to handle. In these
cases the overlay will try to detect if groups have been modified and
then simply refresh them. This can cause performance hits if the
search specified by the URI deals with a significant number of
entries.
.SH BACKWARD COMPATIBILITY
The autogroup overlay has been reworked with the 2.5 release to use
a consistent namespace as with other overlays. As a side-effect the
following cn=config parameters are deprecated and will be removed in
a future release:
.IP \[bu] 2
.B olcAGattrSet
is replaced with olcAutoGroupAttrSet
.IP \[bu]
.B olcAGmemberOfAd
is replaced with olcAutoGroupMemberOfAd
.IP \[bu]
.B olcAutomaticGroups
is replaced with olcAutoGroupConfig
.SH ACKNOWLEDGEMENTS
This module was originally written in 2007 by Michał
Szulczyński. Further enhancements were contributed by Howard
Chu, Raphael Ouazana, Norbert Pueschel, and Christian Manal. Manpage
updates provided by Emily Backes.
.SH SEE ALSO
.BR slapd.conf (5),
.BR slapd (8).
.SH Copyrights
Copyright 1998-2022 The OpenLDAP Foundation.
Portions Copyright \[u00A9] 2007 Michał Szulczyński.
All rights reserved.
|
