(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Configuration : (Category) SLAPD Configuration : (Category) Overlays : (Answer) Dynamic merging of entries: the "dynlist" overlay (OpenLDAP 2.2, 2.3)
The dynlist overlay provides the capability to collect attribute values resulting from the search specified by an LDAP URI-valued attribute into the base entry.

The dynamic collection occurs when an antry with a specified objectClass is being accessed, either for search or compare. All values of a specified LDAP URI-valued attribute are parsed and executed. Only the <DN>, <attrs>, <scope> and <filter> portions of the URI are honored. The attributes resulting from the intersection of those requested in the search and those listed in the <attrs> field of the URI are merged from all the resulting entries.

For instance, a configuration like

        overlay                 dynlist
        dynlist-attrset  groupOfURLs memberURL
when accessing the entry
        dn: cn=Dynamic List,ou=Groups,dc=example,dc=com
        objectClass: groupOfURLs
        cn: Dynamic List
        memberURL: ldap:///ou=People,dc=example,dc=com?mail?sub?(objectClass=person)
will return
        # Dynamic List, Groups, example.com
        dn: cn=Dynamic List,ou=Groups,dc=example,dc=com
        objectClass: groupOfURLs
        cn: Dynamic List
        memberURL: ldap:///ou=People,dc=example,dc=com?mail?sub?(objectClass=person)
        mail: bjensen@mailgw.example.com
        mail: bjorn@mailgw.example.com
        mail: dots@mail.alumni.example.com
        mail: jaj@mail.alumni.example.com
        mail: jjones@mailgw.example.com
        mail: jdoe@woof.net
        mail: jen@mail.alumni.example.com
        mail: johnd@mailgw.example.com
        mail: melliot@mail.alumni.example.com
        mail: uham@mail.alumni.example.com

If configured with the additional parameter

        dynlist-attrset  groupOfURLs memberURL member
it behaves much like the dyngroup overlay; the <attrs> portion of the URI must be absent, and the DN of the entries resulting from the search is added as value of the member attribute defined above. For compare operations on the member attribute, all the values of the memberURL attribute of groupOfURLs objects are compared until a match is found; this exploits slapd group caching capabilities.

See also the dyngroup and the expandURL overlays.

The dynlist overlay is distributed with OpenLDAP 2.3; it is known to compile and run fine since OpenLDAP 2.2.

Multiple Attributes and Access Control

dynlist can expand multiple attributes:

So, if you have an entry:
dn: cn=EntryA,dc=example,dc=edu
... with objectClass
objectClass: dynamicListGroup
... with an attribute
expandThisURL: ldap:///cn=EntryB,cn=dynamic,dc=example,dc=edu??base?(objectclass=*)
... all the attributes of cn=EntryB will appended to the object that had the expandThisURL attribute.

dynlist will obey ACLs. So, if UserA were to tries to read cn=EntryA, but they are only allowed to see specific entries in cn=EntryB, only the permissible entries will be appended to cn=EntryA.

Keep in mind, ACLs can be problematic as well. If UserA has permission to read all the attributes of EntryB, but only some attributes of EntryA, you may not get the results you are looking for. In this case, when specifying which attributes in EntryA a user (or group) can read, be sure to specify attributes that will be brought in through the dynamic expansion.
diggyk@diggyk.com, ando@sys-net.it

Multiple Dynamic Elements:

You can have multiple attributes that get expanded. For each expansion you want the overlay to keep an eye out for, just specify multiple sets of the overlay keyword for the database:
overlay dynlist
dynlist-attrpair groupOfURLs memberURL
dynlist-attrset myOrgPerson myOrgPersonMembershipURL

diggyk@diggyk.com, ando@sys-net.it

Configuration as of 2.3.14

ITS#3756 merged dyngroup and dynlist overlays due to their similar functions. As such, the configuration has changed since OpenLDAP 2.3.14. The dynlist-attrpair/dynlist-attrset notation must now be used, in analogy with that of the dyngroup overlay:
dynlist-attrpair dyn-oc URL-ad
... where dyn-oc indicates the objectClass that should be used to trigger the expansion of the entry, and URL-ad denotes the attribute that will contain the URL to be used for the expansion.

Similarly, get a list of the matching entries' DN's instead of attributes (for instance, to dynamically create member attributes in an entry), use the dynlist-attrset statement, that adds the additional member-ad parameter:

dynlist-attrset dyn-oc URL-ad member-ad


overlay dynlist
dynlist-attrpair groupOfURLs memberURL
dynlist-attrset department employeeURL employeeDN


Unlike previous versions, you do not have to have multiple overlay dynlist entries in your configuration; multiple occurrences of the dynlist-attrpair/ dynlist-attrset statement must be used instead, with a caveat: only the first match on the dyn-oc is used.

Also note that in the dynlist-attrset the member-ad arg is optional; if not given, it behaves exactly as the dynlist-attrpair statement, which is deprecated and could be removed in future releases.
diggyk@diggyk.com, ando@sys-net.it

[Append to This Answer]
Previous: (Answer) Compare on dynamic groups: the "dyngroup" overlay (OpenLDAP 2.2)
Next: (Answer) Subordinate database glueing: the "glue" overlay (OpenLDAP 2.3)
This document is: http://www.openldap.org/faq/index.cgi?file=1209
[Search] [Appearance]
This is a Faq-O-Matic 2.721.test.
© Copyright 1998-2013, OpenLDAP Foundation, info@OpenLDAP.org