1 # dyngroup.schema -- Dynamic Group schema 2 # $OpenLDAP$ 3 ## This work is part of OpenLDAP Software <http://www.openldap.org/>. 4 ## 5 ## Copyright 1998-2024 The OpenLDAP Foundation. 6 ## All rights reserved. 7 ## 8 ## Redistribution and use in source and binary forms, with or without 9 ## modification, are permitted only as authorized by the OpenLDAP 10 ## Public License. 11 ## 12 ## A copy of this license is available in the file LICENSE in the 13 ## top-level directory of the distribution or, alternatively, at 14 ## <http://www.OpenLDAP.org/license.html>. 15 # 16 # Dynamic Group schema (experimental), as defined by Netscape. See 17 # http://www.redhat.com/docs/manuals/ent-server/pdf/esadmin611.pdf 18 # page 70 for details on how these groups were used. 19 # 20 # A description of the objectclass definition is available here: 21 # http://www.redhat.com/docs/manuals/dir-server/schema/7.1/oc_dir.html#1303745 22 # 23 # depends upon: 24 # core.schema 25 # 26 # These definitions are considered experimental due to the lack of 27 # a formal specification (e.g., RFC). 28 # 29 # NOT RECOMMENDED FOR PRODUCTION USE! USE WITH CAUTION! 30 # 31 # The Netscape documentation describes this as an auxiliary objectclass 32 # but their implementations have always defined it as a structural class. 33 # The sloppiness here is because Netscape-derived servers don't actually 34 # implement the X.500 data model, and they don't honor the distinction 35 # between structural and auxiliary classes. This fact is noted here: 36 # http://forum.java.sun.com/thread.jspa?threadID=5016864&messageID=9034636 37 # 38 # In accordance with other existing implementations, we define it as a 39 # structural class. 40 # 41 # Our definition of memberURL also does not match theirs but again 42 # their published definition and what works in practice do not agree. 43 # In other words, the Netscape definitions are broken and interoperability 44 # is not guaranteed. 45 # 46 # Also see the new DynGroup proposed spec at 47 # http://tools.ietf.org/html/draft-haripriya-dynamicgroup-02 48 49 objectIdentifier NetscapeRoot 2.16.840.1.113730 50 51 objectIdentifier NetscapeLDAP NetscapeRoot:3 52 objectIdentifier NetscapeLDAPattributeType NetscapeLDAP:1 53 objectIdentifier NetscapeLDAPobjectClass NetscapeLDAP:2 54 55 objectIdentifier OpenLDAPExp11 1.3.6.1.4.1.4203.666.11 56 objectIdentifier DynGroupBase OpenLDAPExp11:8 57 objectIdentifier DynGroupAttr DynGroupBase:1 58 objectIdentifier DynGroupOC DynGroupBase:2 59 60 attributetype ( NetscapeLDAPattributeType:198 61 NAME 'memberURL' 62 DESC 'Identifies an URL associated with each member of a group. Any type of labeled URL can be used.' 63 SUP labeledURI ) 64 65 attributetype ( DynGroupAttr:1 66 NAME 'dgIdentity' 67 DESC 'Identity to use when processing the memberURL' 68 SUP distinguishedName SINGLE-VALUE ) 69 70 attributeType ( DynGroupAttr:2 71 NAME 'dgAuthz' 72 DESC 'Optional authorization rules that determine who is allowed to assume the dgIdentity' 73 EQUALITY authzMatch 74 SYNTAX 1.3.6.1.4.1.4203.666.2.7 75 X-ORDERED 'VALUES' ) 76 77 # Just for testing. The actual memberOf is an operational attribute 78 attributeType ( DynGroupAttr:3 79 NAME 'dgMemberOf' 80 DESC 'Group that the entry belongs to' 81 SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' 82 EQUALITY distinguishedNameMatch ) 83 84 objectClass ( NetscapeLDAPobjectClass:33 85 NAME 'groupOfURLs' 86 SUP top STRUCTURAL 87 MUST cn 88 MAY ( memberURL $ businessCategory $ description $ o $ ou $ 89 owner $ seeAlso ) ) 90 91 # The Haripriya dyngroup schema still needs a lot of work. 92 # We're just adding support for the dgIdentity attribute for now... 93 objectClass ( DynGroupOC:1 94 NAME 'dgIdentityAux' 95 SUP top AUXILIARY 96 MAY ( dgIdentity $ dgAuthz ) ) 97 98 99
Indexes created Wed Apr 22 00:22:44 UTC 2026