|OpenLDAP Faq-O-Matic : OpenLDAP Software FAQ : Configuration : SLAPD Configuration : Overlays : Dynamic merging of entries: the "dynlist" overlay (OpenLDAP 2.2, 2.3)|
The dynlist overlay provides the capability to collect attribute values
resulting from the search specified by an LDAP URI-valued attribute into
the base entry.
The dynamic collection occurs when an antry with a specified objectClass
is being accessed, either for search or compare.
All values of a specified LDAP URI-valued attribute are parsed and executed.
Only the <DN>, <attrs>, <scope> and <filter>
portions of the URI are honored.
The attributes resulting from the intersection of those requested in the search
and those listed in the <attrs> field of the URI are merged
from all the resulting entries.
For instance, a configuration like
overlay dynlist dynlist-attrset groupOfURLs memberURLwhen accessing the entry
dn: cn=Dynamic List,ou=Groups,dc=example,dc=com objectClass: groupOfURLs cn: Dynamic List memberURL: ldap:///ou=People,dc=example,dc=com?mail?sub?(objectClass=person)will return
# Dynamic List, Groups, example.com dn: cn=Dynamic List,ou=Groups,dc=example,dc=com objectClass: groupOfURLs cn: Dynamic List memberURL: ldap:///ou=People,dc=example,dc=com?mail?sub?(objectClass=person) mail: email@example.com mail: firstname.lastname@example.org mail: email@example.com mail: firstname.lastname@example.org mail: email@example.com mail: firstname.lastname@example.org mail: email@example.com mail: firstname.lastname@example.org mail: email@example.com mail: firstname.lastname@example.orgIf configured with the additional parameter
dynlist-attrset groupOfURLs memberURL memberit behaves much like the dyngroup overlay; the <attrs> portion of the URI must be absent, and the DN of the entries resulting from the search is added as value of the member attribute defined above. For compare operations on the member attribute, all the values of the memberURL attribute of groupOfURLs objects are compared until a match is found; this exploits slapd group caching capabilities. See also the dyngroup and the expandURL overlays.
The dynlist overlay is distributed with OpenLDAP 2.3;
it is known to compile and run fine since OpenLDAP 2.2.
Multiple Attributes and Access Control
dynlist can expand multiple attributes:
So, if you have an entry:
dn: cn=EntryA,dc=example,dc=edu... with objectClass
objectClass: dynamicListGroup... with an attribute
expandThisURL: ldap:///cn=EntryB,cn=dynamic,dc=example,dc=edu??base?(objectclass=*)... all the attributes of
Keep in mind, ACLs can be problematic as well. If UserA has permission to read all the attributes of EntryB, but only some attributes of EntryA, you may not get the results you are looking for. In this case, when specifying which attributes in EntryA a user (or group) can read, be sure to specify attributes that will be brought in through the dynamic expansion.
Multiple Dynamic Elements:|
You can have multiple attributes that get expanded. For each expansion you want the overlay to keep an eye out for, just specify multiple sets of the overlay keyword for the database:
overlay dynlist dynlist-attrpair groupOfURLs memberURL dynlist-attrset myOrgPerson myOrgPersonMembershipURL
Configuration as of 2.3.14ITS#3756 merged dyngroup and dynlist overlays due to their similar functions. As such, the configuration has changed since OpenLDAP 2.3.14. The dynlist-attrpair/dynlist-attrset notation must now be used, in analogy with that of the dyngroup overlay:
dynlist-attrpair dyn-oc URL-ad... where
dynlist-attrset dyn-oc URL-ad member-ad
overlay dynlist dynlist-attrpair groupOfURLs memberURL dynlist-attrset department employeeURL employeeDN
NoteUnlike previous versions, you do not have to have multiple
|[Append to This Answer]|
|Previous:||Compare on dynamic groups: the "dyngroup" overlay (OpenLDAP 2.2)|
|Next:||Subordinate database glueing: the "glue" overlay (OpenLDAP 2.3)|