Use dynamic groups for internal operations, such as Access control instruction (ACI) or component evaluation.
The PingDirectory server performs the
memberurl
parsing and internal LDAP search. However, the internal search
operation cannot be performed with access control instructions applied to it.
For example, the following dynamic group represents an organization’s employees within the same department.
dn: cn=department 202,ou=groups,dc=example,dc=com
objectClass: top
objectClass: groupOfURLs
cn: department 202
owner: uid=user.1,ou=people,dc=example,dc=com
owner: uid=user.2,ou=people,dc=example,dc=com
memberURL: ldap:///ou=People,dc=example,dc=com??sub?
(&(employeeType=employee)(departmentNumber=202))
description: Group of employees in department 202
The above group could be referenced from within the ACI at the dc=example,dc=com entry, as in the following example.
dn:dc=example,dc=com
aci: (targetattr="employeeType")
(version 3.0; acl "Grant write access to employeeType" ;
allow (all) groupdn="ldap:///cn=department 202,ou=groups,dc=example,dc=com";)
Any user matching the filter can bind to the server with their entry and modify the
employeeType
attribute within any entry under
dc=example,dc=com.