SLAPO-AUTOGROUP(5) File Formats Manual SLAPO-AUTOGROUP(5)
NAME
slapo-autogroup - automatic updates of group memberships which meet the
requirements of any filter contained in the group definition.
SYNOPSIS
In slapd.conf:
...
include ETCDIR/schema/dyngroup.schema
...
moduleload autogroup.so
...
database ...
...
overlay autogroup
autogroup-attrset groupOfURLs memberURL member
DESCRIPTION
The autogroup overlay to slapd(8) allows automated updates of group mem-
berships which meet the requirements of any filter contained in the
group definition. The filters are built from LDAP URI-valued attributes.
Any time an object is added/deleted/updated, it is tested for compliance
with the filters, and its membership is accordingly updated. For
searches and compares, it behaves like a static group. If the attribute
part of the URI is filled, the group entry is populated by the values of
this attribute in the entries resulting from the search.
Note that filters that use attributes that are themselves dynamically
computed may not work consistently, and should be avoided.
CONFIGURATION
Either slapd.conf(5) or the cn=config methodology of slapd-config(5) may
be used for configuring autogroup. Both syntaxes are provided here for
convenience:
autogroup-attrset <group-oc> <URL-ad> <member-ad>
olcAutoGroupAttrSet: <group-oc> <URL-ad> <member-ad>
This defines the objectclass-attribute-URI mappings defining the
automatically managed groups, and may appear multiple times.
The value <group-oc> is the name of the objectClass that repre-
sents the group.
The value <URL-ad> is the name of the attributeDescription that
contains the URI that is converted to the filters. If no URI is
present, there will be no members in that group. It must be a
subtype of labeledURI.
The value <member-ad> is the name of the attributeDescription
that specifies the member attribute. User modification of this
attribute is disabled for consistency.
autogroup-memberof-ad <memberof-ad>
olcAutoGroupMemberOfAd <memberof-ad>
This defines the attribute that is used by the memberOf overlay
to store the names of groups that an entry is member of; it must
be DN-valued. It should be set to the same value as memberof-mem-
berof-ad. It defaults to 'memberOf'.
EXAMPLES
As above in SYNOPSIS, or with memberof:
...
include ETCDIR/schema/dyngroup.schema
include ETCDIR/schema/memberof.schema
...
moduleload autogroup.so
moduleload memberof.so
...
database ...
...
overlay memberof
memberof-memberof-ad foo
...
overlay autogroup
autogroup-attrset groupOfURLs memberURL member
autogroup-memberof-ad foo
CAVEATS
As with static groups, update operations on groups with a large number
of members may be slow. If the attribute part of the URI is specified,
modify and delete operations are more difficult to handle. In these
cases the overlay will try to detect if groups have been modified and
then simply refresh them. This can cause performance hits if the search
specified by the URI deals with a significant number of entries.
BACKWARD COMPATIBILITY
The autogroup overlay has been reworked with the 2.5 release to use a
consistent namespace as with other overlays. As a side-effect the fol-
lowing cn=config parameters are deprecated and will be removed in a fu-
ture release:
• olcAGattrSet is replaced with olcAutoGroupAttrSet
• olcAGmemberOfAd is replaced with olcAutoGroupMemberOfAd
• olcAutomaticGroups is replaced with olcAutoGroupConfig
ACKNOWLEDGEMENTS
This module was originally written in 2007 by Michał Szulczyński. Fur-
ther enhancements were contributed by Howard Chu, Raphael Ouazana, Nor-
bert Pueschel, and Christian Manal. Manpage updates provided by Emily
Backes.
SEE ALSO
slapd.conf(5), slapd(8).
Copyrights
Copyright 1998-2024 The OpenLDAP Foundation. Portions Copyright © 2007
Michał Szulczyński. All rights reserved.
OpenLDAP LDVERSION RELEASEDATE SLAPO-AUTOGROUP(5)
Generated by dwww version 1.16 on Tue Dec 16 05:55:05 CET 2025.