[Date Prev][Date Next]
RE: Dynamic groups
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Alan Sparks
> Quanah Gibson-Mount said:
> > There is documentation in slapd.access on how to set up the
> ACL rules
> > for a dynamic group... I can provide you an example here
> of what I've
> > done for our testing purposes.
> > I created an ACL for a dynamic group called
> > "cn=itss,cn=applications,dc=stanford,dc=edu"
> > The ACL looks like this:
> [much snipped]
> I'm a little confused by this. You and Howard have made references to
> dynamic groups in an ACL context... does this mean that dynamic groups
> only work in access statements in slapd.conf?
That is their main purpose, yes. In the Netscape definition, the dynamic
group entry itself is just another static object as far as the server's
concerned. It gets special treatment in an ACL expression, but that's about
all. Here's a good article to give you more background on what we're talking
about, along with sample Perl code to work with groups (both static and
The bottom line is that aside from ACL evaluation, it's up to the client to
evaluate the URLs if you want to know their content.
> When I query against the dyntest object, all I get is the
> object/attributes as I added them, not an enumeration based on the
> memberURL expression.
> Do I misunderstand the purpose of the implementation? Is
> there a missing
> step? I realize the CVS implmentation may not be complete,
> just trying to
> understand what is coming. Thanks for your indulgence.
It works as designed. Of course, there's ways to make it even more useful. In
the "overlays" directory there is a "dyngroup" overlay which extends the LDAP
Compare operation to work with dynamic groups. Adding search expansion would
be a fairly simple exercise as well, it just wasn't one of my priorities.
Also, in my mind if this expansion feature was implemented it would also
require an option(control?) to disable the automatic expansion. Perhaps the
ManageDSAiT control would be appropriate, I haven't thought about it too
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support