A dynamic group defines its members differently than a static group. Instead of listing them individually, the dynamic group defines its members using an LDAP search.
ldap:///<base DN of search> ? ? <scope of search> ? <searchfilter>
- base DN of search
- Is the point from where the search begins in the directory. It can be the suffix or root of the directory such as ou=Austin. This parameter is required.
- scope of search
- Specifies the extent of the search. The default scope is sub.
- Returns information only about the base DN specified in the URL
- Returns information about entries one level below the base DN specified in the URL. It does not include the base entry.
- Returns information about entries at all levels below and includes the base DN.
- Is the filter that you apply to the entries within the scope of search. See the idsldapsearch command information in the Command Reference for more information about the syntax of the searchfilter. The default is objectclass=*
The search for dynamic members is always internal to the server, so unlike a full LDAP URL, a host name and port number is never specified, and the protocol is always ldap (never ldaps). The memberURL attribute may contain any kind of URL, but the server only uses memberURLs beginning with ldap:/// to determine dynamic membership.