Configuration Reference Home
OpenDJ Server - Member Virtual Attribute

Member Virtual Attribute

The Member Virtual Attribute generates a member or uniqueMember attribute whose values are the DNs of the members of a specified virtual static group.

This component is used to implement virtual static group functionality, in which it is possible to create an entry that looks like a static group but obtains all of its membership from a dynamic group (or some other type of group, including another static group). This implementation is most efficient when attempting to determine whether a given user is a member of a group (for example, with a filter like "(uniqueMember=uid=john.doe,ou=People,dc=example,dc=com)") when the search does not actually return the membership attribute. Although it works to generate the entire set of values for the member or uniqueMember attribute, this can be an expensive operation for a large group.

Parent Component

The Member Virtual Attribute component inherits from the Virtual Attribute

Properties

A description of each property follows.


Basic Properties: Advanced Properties:
↓ allow-retrieving-membership ↓ java-class
↓ attribute-type
↓ base-dn
↓ conflict-behavior
↓ enabled
↓ filter
↓ group-dn
↓ scope

Basic Properties

allow-retrieving-membership

Description
Indicates whether to handle requests that request all values for the virtual attribute.This operation can be very expensive in some cases and is not consistent with the primary function of virtual static groups, which is to make it possible to use static group idioms to determine whether a given user is a member. If this attribute is set to false, attempts to retrieve the entire set of values receive an empty set, and only attempts to determine whether the attribute has a specific value or set of values (which is the primary anticipated use for virtual static groups) are handled properly.
Default Value
false
Allowed Values
true
false
Multi-valued
No
Required
Yes
Admin Action Required
None
Advanced Property
No
Read-only
No

attribute-type

Description
Specifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
Default Value
None
Allowed Values
The name of an attribute type defined in the server schema.
Multi-valued
No
Required
Yes
Admin Action Required
None
Advanced Property
No
Read-only
No

base-dn

Description
Specifies the base DNs for the branches containing entries that are eligible to use this virtual attribute.If no values are given, then the server generates virtual attributes anywhere in the server.
Default Value
The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.
Allowed Values
A valid DN.
Multi-valued
Yes
Required
No
Admin Action Required
None
Advanced Property
No
Read-only
No

conflict-behavior

Description
Specifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
Default Value
virtual-overrides-real
Allowed Values
merge-real-and-virtual - Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.

real-overrides-virtual - Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.

virtual-overrides-real - Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.


Multi-valued
No
Required
No
Admin Action Required
None
Advanced Property
No
Read-only
No

enabled

Description
Indicates whether the Virtual Attribute is enabled for use.
Default Value
None
Allowed Values
true
false
Multi-valued
No
Required
Yes
Admin Action Required
None
Advanced Property
No
Read-only
No

filter

Description
Specifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries.If no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
Default Value
(objectClass=*)
Allowed Values
Any valid search filter string.
Multi-valued
Yes
Required
No
Admin Action Required
None
Advanced Property
No
Read-only
No

group-dn

Description
Specifies the DNs of the groups whose members can be eligible to use this virtual attribute.If no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
Default Value
Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.
Allowed Values
A valid DN.
Multi-valued
Yes
Required
No
Admin Action Required
None
Advanced Property
No
Read-only
No

scope

Description
Specifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
Default Value
whole-subtree
Allowed Values
base-object - Search the base object only.

single-level - Search the immediate children of the base object but do not include any of their descendants or the base object itself.

subordinate-subtree - Search the entire subtree below the base object but do not include the base object itself.

whole-subtree - Search the base object and the entire subtree below the base object.


Multi-valued
No
Required
No
Admin Action Required
None
Advanced Property
No
Read-only
No


Advanced Properties

java-class

Description
Specifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
Default Value
org.opends.server.extensions.MemberVirtualAttributeProvider
Allowed Values
A java class that implements or extends the class(es) :
org.opends.server.api.VirtualAttributeProvider
Multi-valued
No
Required
Yes
Admin Action Required
The Member Virtual Attribute must be disabled and re-enabled for changes to this setting to take effect
Advanced Property
Yes
Read-only
No