<?xml version="1.0" encoding="UTF-8"?>
<!--
! CDDL HEADER START
!
! The contents of this file are subject to the terms of the
! Common Development and Distribution License, Version 1.0 only
! (the "License"). You may not use this file except in compliance
! with the License.
!
! You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
! See the License for the specific language governing permissions
! and limitations under the License.
!
! When distributing Covered Code, include this CDDL HEADER in each
! file and include the License file at legal-notices/CDDLv1_0.txt.
! If applicable, add the following below this CDDL HEADER, with the
! fields enclosed by brackets "[]" replaced with your own identifying
! information:
! Portions Copyright [yyyy] [name of copyright owner]
!
! CDDL HEADER END
!
!
! Copyright 2007-2008 Sun Microsystems, Inc.
! -->
<adm:managed-object name="member-virtual-attribute"
plural-name="user-defined-virtual-attributes"
package="org.opends.server.admin.std" extends="virtual-attribute"
xmlns:adm="http://www.opends.org/admin"
xmlns:ldap="http://www.opends.org/admin-ldap">
<adm:synopsis>
The
<adm:user-friendly-name />
generates a member or uniqueMember attribute whose values are
the DNs of the members of a specified virtual static group.
</adm:synopsis>
<adm:description>
This component is used to implement virtual static group
functionality, in which it is possible to create an entry
that looks like a static group but obtains all of its
membership from a dynamic group (or some other type of
group, including another static group).
This implementation is most efficient when attempting to
determine whether a given user is a member of a group
(for example, with a filter like
"(uniqueMember=uid=john.doe,ou=People,dc=example,dc=com)")
when the search does not actually return the membership
attribute. Although it works to generate the entire set of
values for the member or uniqueMember attribute, this can be
an expensive operation for a large group.
</adm:description>
<adm:profile name="ldap">
<ldap:object-class>
<ldap:name>ds-cfg-member-virtual-attribute</ldap:name>
<ldap:superior>ds-cfg-virtual-attribute</ldap:superior>
</ldap:object-class>
</adm:profile>
<adm:property-override name="java-class" advanced="true">
<adm:default-behavior>
<adm:defined>
<adm:value>
</adm:value>
</adm:defined>
</adm:default-behavior>
</adm:property-override>
<adm:property-override name="conflict-behavior">
<adm:default-behavior>
<adm:defined>
<adm:value>virtual-overrides-real</adm:value>
</adm:defined>
</adm:default-behavior>
</adm:property-override>
<adm:property name="allow-retrieving-membership" mandatory="true">
<adm:synopsis>
Indicates whether to handle requests that request all values for
the virtual attribute.
</adm:synopsis>
<adm:description>
This operation can be very expensive in some cases and is not
consistent with the primary function of virtual static groups, which
is to make it possible to use static group idioms to determine
whether a given user is a member.
If this attribute is set to false, attempts to retrieve the entire
set of values receive an empty set, and only attempts to determine
whether the attribute has a specific value or set of values
(which is the primary anticipated use for virtual static groups)
are handled properly.
</adm:description>
<adm:default-behavior>
<adm:defined>
<adm:value>false</adm:value>
</adm:defined>
</adm:default-behavior>
<adm:syntax>
<adm:boolean />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-allow-retrieving-membership</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
</adm:managed-object>