[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: slow adds of member attribute in large groups

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Alan Sparks

> Dynamic groups are something I've been dreaming about for
> some time (says
> a lot about my life...).  Is there any available
> documentation describing
> the implementation of such in OpenLDAP 2.2?
> -Alan

As Quanah pointed out, the slapd manpages for Release 2.2 have been updated
with some information on using dynamic groups. IBM has a concise description
of dynamic groups here:

The implementation in OpenLDAP pretty much follows the above description.

The OpenLDAP implementation differs from Netscape's (see
http://enterprise.netscape.com/docs/enterprise/61/admin/esusrgrp.htm ) in at
least one respect - Netscape's doc says a group entry may be both static and
dynamic, by including both the GroupOfNames and GroupOfURLs objectclasses in
the entry. However, both of those objectclasses are Structural, and an entry
is not allowed to have more than one Structural objectclass, so this
combination is not permitted in OpenLDAP. (Also the current OpenLDAP ACL
syntax only allows specifying a single attribute in a group ACL, so it must
be either a DN attribute or a URL attribute, you can't specify both at once.
You can of course use a URL that lists a specific DN, if you really want a
static member in a dynamic group.)

Because there is no distinct LDAP syntax for URLs, for efficiency reasons the
slapd code requires the chosen URL attribute to inherit from (be a subtype
of) the labeledURL attribute. I envisioned adding some kind of URL syntax
validator down the road, and this approach would assist that effort. (But
that's for another day.)

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support