PingDirectory

Using dynamic groups for internal operations

Use dynamic groups for internal operations, such as Access control instruction (ACI) or component evaluation.

The PingDirectory server performs the memberurl parsing and internal LDAP search. However, the internal search operation cannot be performed with access control instructions applied to it.

For example, the following dynamic group represents an organization’s employees within the same department.

dn: cn=department 202,ou=groups,dc=example,dc=com
objectClass: top
objectClass: groupOfURLs
cn: department 202
owner: uid=user.1,ou=people,dc=example,dc=com
owner: uid=user.2,ou=people,dc=example,dc=com
memberURL: ldap:///ou=People,dc=example,dc=com??sub?
  (&(employeeType=employee)(departmentNumber=202))
description: Group of employees in department 202

The above group could be referenced from within the ACI at the dc=example,dc=com entry, as in the following example.

dn:dc=example,dc=com
aci: (targetattr="employeeType")
  (version 3.0; acl "Grant write access to employeeType" ;
    allow (all) groupdn="ldap:///cn=department 202,ou=groups,dc=example,dc=com";)

Any user matching the filter can bind to the server with their entry and modify the employeeType attribute within any entry under dc=example,dc=com.