Provided by: slapd_2.6.9+dfsg-2ubuntu1_amd64 
NAME
slapo-autogroup - automatic updates of group memberships which meet the requirements of any filter
contained in the group definition.
SYNOPSIS
In slapd.conf:
...
include ETCDIR/schema/dyngroup.schema
...
moduleload autogroup.so
...
database ...
...
overlay autogroup
autogroup-attrset groupOfURLs memberURL member
DESCRIPTION
The autogroup overlay to slapd(8) allows automated updates of group memberships which meet the
requirements of any filter contained in the group definition. The filters are built from LDAP URI-valued
attributes. Any time an object is added/deleted/updated, it is tested for compliance with the filters,
and its membership is accordingly updated. For searches and compares, it behaves like a static group. If
the attribute part of the URI is filled, the group entry is populated by the values of this attribute in
the entries resulting from the search.
Note that filters that use attributes that are themselves dynamically computed may not work consistently,
and should be avoided.
CONFIGURATION
Either slapd.conf(5) or the cn=config methodology of slapd-config(5) may be used for configuring
autogroup. Both syntaxes are provided here for convenience:
autogroup-attrset <group-oc> <URL-ad> <member-ad>
olcAutoGroupAttrSet: <group-oc> <URL-ad> <member-ad>
This defines the objectclass-attribute-URI mappings defining the automatically managed groups, and
may appear multiple times.
The value <group-oc> is the name of the objectClass that represents the group.
The value <URL-ad> is the name of the attributeDescription that contains the URI that is converted
to the filters. If no URI is present, there will be no members in that group. It must be a subtype
of labeledURI.
The value <member-ad> is the name of the attributeDescription that specifies the member attribute.
User modification of this attribute is disabled for consistency.
autogroup-memberof-ad <memberof-ad>
olcAutoGroupMemberOfAd <memberof-ad>
This defines the attribute that is used by the memberOf overlay to store the names of groups that
an entry is member of; it must be DN-valued. It should be set to the same value as memberof-
memberof-ad. It defaults to 'memberOf'.
EXAMPLES
As above in SYNOPSIS, or with memberof:
...
include ETCDIR/schema/dyngroup.schema
include ETCDIR/schema/memberof.schema
...
moduleload autogroup.so
moduleload memberof.so
...
database ...
...
overlay memberof
memberof-memberof-ad foo
...
overlay autogroup
autogroup-attrset groupOfURLs memberURL member
autogroup-memberof-ad foo
CAVEATS
As with static groups, update operations on groups with a large number of members may be slow. If the
attribute part of the URI is specified, modify and delete operations are more difficult to handle. In
these cases the overlay will try to detect if groups have been modified and then simply refresh them.
This can cause performance hits if the search specified by the URI deals with a significant number of
entries.
BACKWARD COMPATIBILITY
The autogroup overlay has been reworked with the 2.5 release to use a consistent namespace as with other
overlays. As a side-effect the following cn=config parameters are deprecated and will be removed in a
future release:
• olcAGattrSet is replaced with olcAutoGroupAttrSet
• olcAGmemberOfAd is replaced with olcAutoGroupMemberOfAd
• olcAutomaticGroups is replaced with olcAutoGroupConfig
ACKNOWLEDGEMENTS
This module was originally written in 2007 by Michał Szulczyński. Further enhancements were contributed
by Howard Chu, Raphael Ouazana, Norbert Pueschel, and Christian Manal. Manpage updates provided by Emily
Backes.
SEE ALSO
slapd.conf(5), slapd(8).
Copyrights
Copyright 1998-2024 The OpenLDAP Foundation. Portions Copyright © 2007 Michał Szulczyński. All rights
reserved.
OpenLDAP LDVERSION RELEASEDATE SLAPO-AUTOGROUP(5)