The dynlist overlay to slapd(8) allows expansion of dynamic groups
and more. Any time an entry with a specific objectClass (defined in
the overlay configuration) is being returned, the LDAP URI-valued
occurrences of a specific attribute (also defined in the overlay
configuration) are expanded into the corresponding entries, and the
values of the attributes listed in the URI are added to the original
entry. No recursion is allowed, to avoid potential infinite loops.
Since the resulting entry is dynamically constructed, it does not
exist until it is constructed while being returned. As a
consequence, dynamically added attributes do not participate in the
filter matching phase of the search request handling. In other
words, filtering for dynamically added attributes always fails.
The resulting entry must comply with the LDAP data model, so
constraints are enforced. For example, if a SINGLE-VALUE attribute
is listed, only the first value found during the list expansion
appears in the final entry. The above described behavior is disabled
when the manageDSAit control (RFC 3296) is used. In that case, the
contents of the dynamic group entry is returned; namely, the URLs are
returned instead of being expanded.
The config directives that are specific to the dynlist overlay must
be prefixed by dynlist-, to avoid potential conflicts with directives
specific to the underlying database or to other stacked overlays.
This directive adds the dynlist overlay to the current
database, or to the frontend, if used before any database
instantiation; see slapd.conf(5) for details.
This slapd.conf configuration option is defined for the dynlist
overlay. It may have multiple occurrences, and it must appear after
the overlay directive.
dynlist-attrset <group-oc> [<URI>] <URL-ad> [[<mapped-ad>:]<member-ad> ...]
The value group-oc is the name of the objectClass that
triggers the dynamic expansion of the data.
The optional URI restricts expansion only to entries matching
the DN, the scope and the filter portions of the URI.
The value URL-ad is the name of the attributeDescription that
contains the URI that is expanded by the overlay; if none is
present, no expansion occurs. If the intersection of the
attributes requested by the search operation (or the asserted
attribute for compares) and the attributes listed in the URI
is empty, no expansion occurs for that specific URI. It must
be a subtype of labeledURI.
The value member-ad is optional; if present, the overlay
behaves as a dynamic group: this attribute will list the DN of
the entries resulting from the internal search. In this case,
the attrs portion of the URIs in the URL-ad attribute must be
absent, and the DNs of all the entries resulting from the
expansion of the URIs are listed as values of this attribute.
Compares that assert the value of the member-ad attribute of
entries with group-oc objectClass apply as if the DN of the
entries resulting from the expansion of the URI were present
in the group-oc entry as values of the member-ad attribute.
Alternatively, mapped-ad can be used to remap attributes
obtained through expansion. member-ad attributes are not
filled by expanded DN, but are remapped as mapped-ad
attributes. Multiple mapping statements can be used.
The dynlist overlay may be used with any backend, but it is mainly
intended for use with local storage backends. In case the URI
expansion is very resource-intensive and occurs frequently with well-
defined patterns, one should consider adding a proxycache later on in
the overlay stack.
By default the expansions are performed using the identity of the
current LDAP user. This identity may be overridden by setting the
dgIdentity attribute in the group's entry to the DN of another LDAP
user. In that case the dgIdentity will be used when expanding the
URIs in the object. Setting the dgIdentity to a zero-length string
will cause the expansions to be performed anonymously. Note that the
dgIdentity attribute is defined in the dyngroup schema, and this
schema must be loaded before the dgIdentity authorization feature may
be used. If the dgAuthz attribute is also present in the group's
entry, its values are used to determine what identities are
authorized to use the dgIdentity to expand the group. Values of the
dgAuthz attribute must conform to the (experimental) OpenLDAP authz
This example collects all the email addresses of a database into a
single entry; first of all, make sure that slapd.conf contains the
dynlist-attrset groupOfURLs memberURL
and that slapd loads dynlist.la, if compiled as a run-time module;
then add to the database an entry like
dn: cn=Dynamic List,ou=Groups,dc=example,dc=com
cn: Dynamic List
If no <attrs> are provided in the URI, all (non-operational)
attributes are collected.
This example implements the dynamic group feature on the member
dynlist-attrset groupOfURLs memberURL member
A dynamic group with dgIdentity authorization could be created with
an entry like
dn: cn=Dynamic Group,ou=Groups,dc=example,dc=com
cn: Dynamic Group
dgIdentity: cn=Group Proxy,ou=Services,dc=example,dc=com
This page is part of the OpenLDAP (an open source implementation of
the Lightweight Directory Access Protocol) project. Information
about the project can be found at ⟨http://www.openldap.org/⟩. If you
have a bug report for this manual page, see
⟨http://www.openldap.org/its/⟩. This page was obtained from the
project's upstream Git repository
⟨git://git.openldap.org/openldap.git⟩ on 2017-03-13. If you discover
any rendering problems in this HTML version of the page, or you
believe there is a better or more up-to-date source for the page, or
you have corrections or improvements to the information in this
COLOPHON (which is not part of the original manual page), send a mail
OpenLDAP LDVERSION RELEASEDATE SLAPO-DYNLIST(5)