slapo−memberof — Reverse Group Membership overlay to slapd
ETCDIR/slapd.conf
The memberof
overlay to slapd(8) allows automatic
reverse group membership maintenance. Any time a group entry
is modified, its members are modified as appropriate in order
to keep a DN-valued "is member of" attribute updated with the
DN of the group.
The config directives that are specific to the memberof overlay must be
prefixed by memberof−, to avoid
potential conflicts with directives specific to the
underlying database or to other stacked overlays.
This directive adds the memberof overlay to the current database; see slapd.conf(5) for details.
The following slapd.conf
configuration options are defined for the memberof
overlay.
memberof−group−oc
group-ocThe value <group-oc> is the
name of the objectClass that triggers the reverse group
membership update. It defaults to groupOfNames.
memberof−member−ad
member-adThe value <member-ad> is
the name of the attribute that contains the names of
the members in the group objects; it must be DN-valued.
It defaults to member.
memberof−memberof−ad
memberof-adThe value <memberof-ad> is
the name of the attribute that contains the names of
the groups an entry is member of; it must be DN-valued.
Its contents are automatically updated by the overlay.
It defaults to memberOf.
memberof−dn dnThe value <dn> contains the
DN that is used as modifiersName for
internal modifications performed to update the reverse
group membership. It defaults to the rootdn of the
underlying database.
ignore, drop, error}This option determines the behavior of the overlay
when, during a modification, it encounters dangling
references. The default is ignore, which may leave
dangling references. Other options are drop, which discards
those modifications that would result in dangling
references, and error, which causes
modifications that would result in dangling references
to fail.
memberof−dangling−error
error-codeIf memberof−dangling
is set to error, this
configuration parameter can be used to modify the
response code returned in case of violation. It
defaults to "constraint violation", but other
implementations are known to return "no such object"
instead.
true|FALSE}This option determines whether the overlay will try
to preserve referential integrity or not. If set to
TRUE, when an entry
containing values of the "is member of" attribute is
modified, the corresponding groups are modified as
well.
The memberof overlay may be used with any backend that provides full read-write functionality, but it is mainly intended for use with local storage backends. The maintenance operations it performs are internal to the server on which the overlay is configured and are never replicated. Replica servers should be configured with their own instances of the memberOf overlay if it is desired to maintain these memberOf attributes on the replicas.
slapd.conf(5), slapd-config(5), slapd(8). The slapo-memberof(5) overlay
supports dynamic configuration via back-config.