<?xml version="1.0" encoding="UTF-8"?>
|
<!--
|
! CDDL HEADER START
|
!
|
! The contents of this file are subject to the terms of the
|
! Common Development and Distribution License, Version 1.0 only
|
! (the "License"). You may not use this file except in compliance
|
! with the License.
|
!
|
! You can obtain a copy of the license at
|
! trunk/opends/resource/legal-notices/OpenDS.LICENSE
|
! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
|
! See the License for the specific language governing permissions
|
! and limitations under the License.
|
!
|
! When distributing Covered Code, include this CDDL HEADER in each
|
! file and include the License file at
|
! trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
|
! add the following below this CDDL HEADER, with the fields enclosed
|
! by brackets "[]" replaced with your own identifying information:
|
! Portions Copyright [yyyy] [name of copyright owner]
|
!
|
! CDDL HEADER END
|
!
|
!
|
! Copyright 2007-2008 Sun Microsystems, Inc.
|
! -->
|
<adm:managed-object name="member-virtual-attribute"
|
plural-name="user-defined-virtual-attributes"
|
package="org.opends.server.admin.std" extends="virtual-attribute"
|
xmlns:adm="http://www.opends.org/admin"
|
xmlns:ldap="http://www.opends.org/admin-ldap">
|
<adm:synopsis>
|
The
|
<adm:user-friendly-name />
|
generates a member or uniqueMember attribute whose values are
|
the DNs of the members of a specified virtual static group.
|
</adm:synopsis>
|
<adm:description>
|
This component is used to implement virtual static group
|
functionality, in which it is possible to create an entry
|
that looks like a static group but obtains all of its
|
membership from a dynamic group (or some other type of
|
group, including another static group).
|
This implementation is most efficient when attempting to
|
determine whether a given user is a member of a group
|
(for example, with a filter like
|
"(uniqueMember=uid=john.doe,ou=People,dc=example,dc=com)")
|
when the search does not actually return the membership
|
attribute. Although it works to generate the entire set of
|
values for the member or uniqueMember attribute, this can be
|
an expensive operation for a large group.
|
</adm:description>
|
<adm:profile name="ldap">
|
<ldap:object-class>
|
<ldap:name>ds-cfg-member-virtual-attribute</ldap:name>
|
<ldap:superior>ds-cfg-virtual-attribute</ldap:superior>
|
</ldap:object-class>
|
</adm:profile>
|
<adm:property-override name="java-class" advanced="true">
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>
|
org.opends.server.extensions.MemberVirtualAttributeProvider
|
</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
</adm:property-override>
|
<adm:property-override name="conflict-behavior">
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>virtual-overrides-real</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
</adm:property-override>
|
<adm:property name="allow-retrieving-membership" mandatory="true">
|
<adm:synopsis>
|
Indicates whether to handle requests that request all values for
|
the virtual attribute.
|
</adm:synopsis>
|
<adm:description>
|
This operation can be very expensive in some cases and is not
|
consistent with the primary function of virtual static groups, which
|
is to make it possible to use static group idioms to determine
|
whether a given user is a member.
|
If this attribute is set to false, attempts to retrieve the entire
|
set of values receive an empty set, and only attempts to determine
|
whether the attribute has a specific value or set of values
|
(which is the primary anticipated use for virtual static groups)
|
are handled properly.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-allow-retrieving-membership</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
</adm:managed-object>
|
