Using dynamic groups for internal operations
Use dynamic groups for internal operations, such as Access control instruction (ACI) or component evaluation.
The PingDirectory server performs the memberurl
parsing and internal LDAP search. However, the internal search operation cannot be performed with access control instructions applied to it.
For example, the following dynamic group represents an organization’s employees within the same department.
dn: cn=department 202,ou=groups,dc=example,dc=com objectClass: top objectClass: groupOfURLs cn: department 202 owner: uid=user.1,ou=people,dc=example,dc=com owner: uid=user.2,ou=people,dc=example,dc=com memberURL: ldap:///ou=People,dc=example,dc=com??sub? (&(employeeType=employee)(departmentNumber=202)) description: Group of employees in department 202
The above group could be referenced from within the ACI at the dc=example,dc=com
entry, as in the following example.
dn:dc=example,dc=com aci: (targetattr="employeeType") (version 3.0; acl "Grant write access to employeeType" ; allow (all) groupdn="ldap:///cn=department 202,ou=groups,dc=example,dc=com";)
Any user matching the filter can bind to the server with their entry and modify the employeeType
attribute within any entry under dc=example,dc=com
.