Page created: 22 Jul 2020
|
Page updated: 1 Feb 2021
You can use dynamic groups for internal operations, such as ACI or component evaluation. The
Directory Server performs the memberurl
parsing and internal
LDAP search; however, the internal search operation may not be performed with access control
rules applied to it.
For example, the following dynamic group represents an organization’s employees within the
same
department:
dn: cn=department 202,ou=groups,dc=example,dc=com objectClass: top objectClass: groupOfURLs cn: department 202 owner: uid=user.1,ou=people,dc=example,dc=com owner: uid=user.2,ou=people,dc=example,dc=com memberURL: ldap:///ou=People,dc=example,dc=com??sub? (&(employeeType=employee)(departmentNumber=202)) description: Group of employees in department 202
The above group could be referenced from within the ACI at the
dc=example,dc=com entry. For
example:
dn:dc=example,dc=com aci: (targetattr="employeeType") (version 3.0; acl "Grant write access to employeeType" ; allow (all) groupdn="ldap:///cn=department 202,ou=groups,dc=example,dc=com";)
Any user matching the filter can bind to the server with their entry and modify the
employeeType
attribute within any entry under
dc=example,dc=com.