Dynamic groups

A dynamic group defines its members differently than a static group. Instead of listing them individually, the dynamic group defines its members using an LDAP search.

The dynamic group uses the structural objectclass groupOfURLs (or auxiliary objectclass ibm-dynamicGroup) and the attribute, memberURL to define the search using a simplified LDAP URL syntax.
 ldap:///<base DN of search> ? ? <scope of search> ? <searchfilter>
Note: As the example illustrates, the syntax must not contain the host name. The remaining parameters are just like normal LDAP URL syntax. Each parameter field must be separated by a ?, even if no parameter is specified. Normally, a list of attributes to return would be included between the base DN and scope of the search. As this parameter is not used by the server when determining dynamic membership, it may be excluded. The separator ? is required.
base DN of search
Is the point from where the search begins in the directory. It can be the suffix or root of the directory such as ou=Austin. This parameter is required.
scope of search
Specifies the extent of the search. The default scope is sub.
Returns information only about the base DN specified in the URL
Returns information about entries one level below the base DN specified in the URL. It does not include the base entry.
Returns information about entries at all levels below and includes the base DN.
Is the filter that you apply to the entries within the scope of search. See the idsldapsearch command information in the Command Reference for more information about the syntax of the searchfilter. The default is objectclass=*

The search for dynamic members is always internal to the server, so unlike a full LDAP URL, a host name and port number is never specified, and the protocol is always ldap (never ldaps). The memberURL attribute may contain any kind of URL, but the server only uses memberURLs beginning with ldap:/// to determine dynamic membership.