1autogroup overlay Readme 2 3DESCRIPTION 4 The autogroup overlay allows automated updates of group memberships which 5 meet the requirements of any filter contained in the group definition. 6 The filters are built from LDAP URI-valued attributes. Any time an object 7 is added/deleted/updated, it is tested for compliance with the filters, 8 and its membership is accordingly updated. For searches and compares 9 it behaves like a static group. 10 If the attribute part of the URI is filled, the group entry is populated 11 by the values of this attribute in the entries resulting from the search. 12 13BUILDING 14 A Makefile is included. 15 16CONFIGURATION 17 # dyngroup.schema: 18 The dyngroup schema must be modified, adding the 'member' attribute 19 to the MAY clause of the groupOfURLs object class, i.e.: 20 21 objectClass ( NetscapeLDAPobjectClass:33 22 NAME 'groupOfURLs' 23 SUP top STRUCTURAL 24 MUST cn 25 MAY ( memberURL $ businessCategory $ description $ o $ ou $ 26 owner $ seeAlso $ member) ) 27 28 29 # slapd.conf: 30 31 moduleload /path/to/autogroup.so 32 Loads the overlay (OpenLDAP must be built with --enable-modules). 33 34 overlay autogroup 35 This directive adds the autogroup overlay to the current database. 36 37 autogroup-attrset <group-oc> <URL-ad> <member-ad> 38 This configuration option is defined for the autogroup overlay. 39 It may have multiple occurrences, and it must appear after the 40 overlay directive. 41 42 The value <group-oc> is the name of the objectClass that represents 43 the group. 44 45 The value <URL-ad> is the name of the attributeDescription that 46 contains the URI that is converted to the filters. If no URI is 47 present, there will be no members in that group. It must be a subtype 48 of labeledURI. 49 50 The value <member-ad> is the name of the attributeDescription that 51 specifies the member attribute. User modification of this attribute 52 is disabled for consistency. 53 54 autogroup-memberof-ad <memberof-ad> 55 This configuration option is defined for the autogroup overlay. 56 57 It defines the attribute that is used by the memberOf overlay 58 to store the names of groups that an entry is member of; it must be 59 DN-valued. It should be set to the same value as 60 memberof-memberof-ad. It defaults to 'memberOf'. 61 62 63EXAMPLE 64 ### slapd.conf 65 include /path/to/dyngroup.schema 66 # ... 67 moduleload /path/to/autogroup.so 68 # ... 69 70 database <database> 71 # ... 72 73 overlay autogroup 74 autogroup-attrset groupOfURLs memberURL member 75 ### end slapd.conf 76 77 ### slapd.conf 78 include /path/to/dyngroup.schema 79 # ... 80 moduleload /path/to/autogroup.so 81 moduleload /path/to/memberof.so 82 # ... 83 84 database <database> 85 #... 86 87 overlay memberof 88 memberof-memberof-ad foo 89 90 overlay autogroup 91 autogroup-attrset groupOfURLs memberURL member 92 autogroup-memberof-ad foo 93 ### end slapd.conf 94 95CAVEATS 96 As with static groups, update operations on groups with a large number 97 of members may be slow. 98 If the attribute part of the URI is specified, modify and delete operations 99 are more difficult to handle. In these cases the overlay will try to detect 100 if groups have been modified and then simply refresh them. This can cause 101 performance hits if the search specified by the URI deals with a significant 102 number of entries. 103 104ACKNOWLEDGEMENTS 105 This module was originally written in 2007 by Michał Szulczyński. Further 106 enhancements were contributed by Howard Chu, Raphael Ouazana, 107 Norbert Pueschel, and Christian Manal. 108 109--- 110Copyright 1998-2021 The OpenLDAP Foundation. 111Portions Copyright (C) 2007 Michał Szulczyński. 112All rights reserved. 113 114Redistribution and use in source and binary forms, with or without 115modification, are permitted only as authorized by the OpenLDAP 116Public License. 117 118A copy of this license is available in file LICENSE in the 119top-level directory of the distribution or, alternatively, at 120http://www.OpenLDAP.org/license.html. 121