Show Table of Contents
4.9. Auto Membership Plug-in Attributes
Automembership essentially allows a static group to act like a dynamic group. Different automembership definitions create searches that are automatically run on all new directory entries. The automembership rules search for and identify matching entries — much like the dynamic search filters — and then explicitly add those entries as members to the specified static group.
The Auto Membership Plug-in itself is a container entry. Each automember definition is a child of the Auto Membership Plug-in. The automember definition defines the LDAP search base and filter to identify entries and a default group to add them to.
dn: cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config objectclass: autoMemberDefinition cn: Hostgroups autoMemberScope: dc=example,dc=com autoMemberFilter: objectclass=ipHost autoMemberDefaultGroup: cn=systems,cn=hostgroups,ou=groups,dc=example,dc=com autoMemberGroupingAttr: member:dn
Each automember definition can have its own child entry that defines additional conditions for assigning the entry to group. Regular expressions can be used to include or exclude entries and assign them to specific groups based on those conditions.
dn: cn=webservers,cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config objectclass: autoMemberRegexRule description: Group for webservers cn: webservers autoMemberTargetGroup: cn=webservers,cn=hostgroups,dc=example,dc=com autoMemberInclusiveRegex: fqdn=^www\.web[0-9]+\.example\.com
If the entry matches the main definition and not any of the regular expression conditions, then it uses the group in the main definition. If it matches a regular expression condition, then it is added to the regular expression condition group.
4.9.1. autoMemberDefaultGroup
This attribute sets a default or fallback group to add the entry to as a member. If only the definition entry is used, then this is the group to which all matching entries are added. If regular expression conditions are used, then this group is used as a fallback if an entry which matches the LDAP search filter do not match any of the regular expressions.
Parameter | Description |
---|---|
Entry DN | cn=Auto Membership Plugin,cn=plugins,cn=config |
Valid Range | Any existing Directory Server group |
Default Value | None |
Single- or Multi-Valued | Single |
Syntax | DirectoryString |
Example | autoMemberDefaultGroup: cn=hostgroups,ou=groups,dc=example,dc=com |
4.9.2. autoMemberDefinition (Object Class)
This attribute identifies the entry as an automember definition. This entry must be a child of the Auto Membership Plug-in,
cn=Auto Membership Plugin,cn=plugins,cn=config
.
Allowed Attributes
- autoMemberScope
- autoMemberFilter
- autoMemberDefaultGroup
- autoMemberGroupingAttr
4.9.3. autoMemberExclusiveRegex
This attribute sets a single regular expression to use to identify entries to exclude. If an entry matches the exclusion condition, then it is not included in the group. Multiple regular expressions could be used, and if an entry matches any one of those expressions, it is excluded in the group.
The format of the expression is a Perl-compatible regular expression (PCRE). For more information on PCRE patterns, see the pcresyntax(3) man page.
Note
Exclude conditions are evaluated first and take precedence over include conditions.
Parameter | Description |
---|---|
Entry DN | cn=Auto Membership Plugin,cn=plugins,cn=config |
Valid Range | Any regular expression |
Default Value | None |
Single- or Multi-Valued | Multi-valued |
Syntax | DirectoryString |
Example | autoMemberExclusiveRegex: fqdn=^www\.web[0-9]+\.example\.com |
4.9.4. autoMemberFilter
This attribute sets a standard LDAP search filter to use to search for matching entries.
Parameter | Description |
---|---|
Entry DN | cn=Auto Membership Plugin,cn=plugins,cn=config |
Valid Range | Any valid LDAP search filter |
Default Value | None |
Single- or Multi-Valued | Single |
Syntax | DirectoryString |
Example | autoMemberFilter:objectclass=ntUser |
4.9.5. autoMemberGroupingAttr
This attribute gives the name of the member attribute in the group entry and the attribute in the object entry that supplies the member attribute value, in the format group_member_attr:entry_attr.
This structures how the Automembership Plug-in adds a member to the group, depending on the group configuration. For example, for a
groupOfUniqueNames
user group, each member is added as a uniqueMember
attribute. The value of uniqueMember
is the DN of the user entry. In essence, each group member is identified by the attribute-value pair of uniqueMember:
user_entry_DN. The member entry format, then, is uniqueMember:dn
.
Parameter | Description |
---|---|
Entry DN | cn=Auto Membership Plugin,cn=plugins,cn=config |
Valid Range | Any Directory Server attribute |
Default Value | None |
Single- or Multi-Valued | Single |
Syntax | DirectoryString |
Example | autoMemberGroupingAttr: member:dn |
4.9.6. autoMemberInclusiveRegex
This attribute sets a single regular expression to use to identify entries to include. Multiple regular expressions could be used, and if an entry matches any one of those expressions, it is included in the group (assuming it does not match an exclude expression).
The format of the expression is a Perl-compatible regular expression (PCRE). For more information on PCRE patterns, see the pcresyntax(3) man page.
Parameter | Description |
---|---|
Entry DN | cn=Auto Membership Plugin,cn=plugins,cn=config |
Valid Range | Any regular expression |
Default Value | None |
Single- or Multi-Valued | Multi-valued |
Syntax | DirectoryString |
Example | autoMemberInclusiveRegex: fqdn=^www\.web[0-9]+\.example\.com |
4.9.7. autoMemberProcessModifyOps
By default, the Directory Server invokes the Automembership plug-in for add and modify operations. With this setting, the plug-in changes groups when you add a group entry to a user or modify a group entry of a user. If you set the
autoMemberProcessModifyOps
to off
, Directory Server only invokes the Automembership plug-in when you add a group entry to a user. In this case, if an administrator changes a user entry, and that entry impactes what Automembership groups the user belongs to, the plug-in does not remove the user from the old group and only adds the new group. To update the old group, you must then manually run a fix-up task.
Parameter | Description |
---|---|
Entry DN | cn=Auto Membership Plugin,cn=plugins,cn=config |
Valid Value | on | off |
Default Value | yes |
Single- or Multi-Valued | Single |
Syntax | DirectoryString |
Example | autoMemberProcessModifyOps: yes |
4.9.8. autoMemberRegexRule (Object Class)
This attribute identifies the entry as a regular expression rule. This entry must be a child of an automember definition (
objectclass: autoMemberDefinition
).
Allowed Attributes
- autoMemberInclusiveRegex
- autoMemberExclusiveRegex
- autoMemberTargetGroup
4.9.9. autoMemberScope
This attribute sets the subtree DN to search for entries. This is the search base.
Parameter | Description |
---|---|
Entry DN | cn=Auto Membership Plugin,cn=plugins,cn=config |
Valid Range | Any Directory Server subtree |
Default Value | None |
Single- or Multi-Valued | Single |
Syntax | DirectoryString |
Example | autoMemberScope: dc=example,dc=com |
4.9.10. autoMemberTargetGroup
This attribute sets which group to add the entry to as a member, if it meets the regular expression conditions.
Parameter | Description |
---|---|
Entry DN | cn=Auto Membership Plugin,cn=plugins,cn=config |
Valid Range | Any Directory Server group |
Default Value | None |
Single- or Multi-Valued | Single |
Syntax | DirectoryString |
Example | autoMemberTargetGroup: cn=webservers,cn=hostgroups,ou=groups,dc=example,dc=com |