[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Dynamic groups

To: "'Alan Sparks'" <asparks@doublesparks.net>, <quanah@stanford.edu>
Subject: RE: Dynamic groups
From: "Howard Chu" <hyc@symas.com>
Date: Tue, 7 Oct 2003 19:51:20 -0700
Cc: <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <4496.192.168.2.6.1065577386.squirrel@www.doublesparks.net>

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Alan Sparks

> Quanah Gibson-Mount said:
> > There is documentation in slapd.access on how to set up the
> ACL rules
> > for a  dynamic group... I can provide you an example here
> of what I've
> > done for  our testing purposes.
> >
> > I created an ACL for a dynamic group called
> > "cn=itss,cn=applications,dc=stanford,dc=edu"
> >
> > The ACL looks like this:
> [much snipped]
>
> I'm a little confused by this.  You and Howard have made references to
> dynamic groups in an ACL context... does this mean that dynamic groups
> only work in access statements in slapd.conf?

That is their main purpose, yes. In the Netscape definition, the dynamic
group entry itself is just another static object as far as the server's
concerned. It gets special treatment in an ACL expression, but that's about
all. Here's a good article to give you more background on what we're talking
about, along with sample Perl code to work with groups (both static and
dynamic):
http://www.newarchitectmag.com/documents/s=5087/new1013637309/index.html

The bottom line is that aside from ACL evaluation, it's up to the client to
evaluate the URLs if you want to know their content.

> When I query against the dyntest object, all I get is the
> object/attributes as I added them, not an enumeration based on the
> memberURL expression.
>
> Do I misunderstand the purpose of the implementation?  Is
> there a missing
> step?  I realize the CVS implmentation may not be complete,
> just trying to
> understand what is coming.  Thanks for your indulgence.
> -Alan

It works as designed. Of course, there's ways to make it even more useful. In
the "overlays" directory there is a "dyngroup" overlay which extends the LDAP
Compare operation to work with dynamic groups. Adding search expansion would
be a fairly simple exercise as well, it just wasn't one of my priorities.
Also, in my mind if this expansion feature was implemented it would also
require an option(control?) to disable the automatic expansion. Perhaps the
ManageDSAiT control would be appropriate, I haven't thought about it too
much.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

Follow-Ups:
- RE: Dynamic groups
  - From: "Alan Sparks" <asparks@doublesparks.net>

References:
- Dynamic groups
  - From: "Alan Sparks" <asparks@doublesparks.net>

Prev by Date: Dynamic groups
Next by Date: RE: Dynamic groups
Index(es):
- Chronological
- Thread