Use dynamic groups for internal operations, such as Access control instruction (ACI) or component evaluation.
The PingDirectory server performs the
memberurl parsing and internal LDAP search. However, the internal search
operation cannot be performed with access control instructions applied to it.
For example, the following dynamic group represents an organization’s employees within the same department.
dn: cn=department 202,ou=groups,dc=example,dc=com objectClass: top objectClass: groupOfURLs cn: department 202 owner: uid=user.1,ou=people,dc=example,dc=com owner: uid=user.2,ou=people,dc=example,dc=com memberURL: ldap:///ou=People,dc=example,dc=com??sub? (&(employeeType=employee)(departmentNumber=202)) description: Group of employees in department 202
The above group could be referenced from within the ACI at the dc=example,dc=com entry, as in the following example.
dn:dc=example,dc=com aci: (targetattr="employeeType") (version 3.0; acl "Grant write access to employeeType" ; allow (all) groupdn="ldap:///cn=department 202,ou=groups,dc=example,dc=com";)
Any user matching the filter can bind to the server with their entry and modify the
employeeType attribute within any entry under