Memberships are used to assign a role within a group. They are entries that are placed under the group entry of their scope group. Users in this role are defined as attributes of the membership entry.

For example, to designate Tom as manager of the group human-resources:

ou=human-resources,ou=groups,ou=portal,dc=exoplatform,dc=org
  …
  cn=manager,ou=human-resources,ou=groups,ou=portal,dc=exoplatform,dc=org
    member: uid=tom,ou=users,ou=portal,dc=exoplatform,dc=org
    …

The parameters to configure memberships are:

<field name="membershipLDAPClasses"><string>top,groupOfNames</string></field>

<field name="membershipTypeMemberValue"><string>member</string></field>                              

<field name="membershipTypeRoleNameAttr"><string>cn</string></field>

<field name="membershipTypeObjectClassFilter"><string>objectClass=organizationalRole</string></field>

When creating a new membership, an entry will be created with the given objectClass attributes. The classes must at least define the attribute designated by membershipTypeMemberValue.

For example, adding membership validator would produce:

cn=validator,ou=human-resources,ou=groups,ou=portal,dc=exoplatform,dc=org
  objectclass: top
  objectClass: groupOfNames
  …

Values should be a dn user. For example, James and Root, who have the admin role within the human-resources group, would give:

cn=admin,ou=human-resources,ou=groups,ou=portal,dc=exoplatform,dc=org
  member: cn=james,ou=users,ou=portal,dc=exoplatform,dc=org
  member: cn=root,ou=users,ou=portal,dc=exoplatform,dc=org
  …

For example, in the following membership entry: cn=manager,ou=human-resources,ou=groups,ou=portal,dc=exoplatform,dc=org, the 'cn' attribute is used to designate the 'manager' membership type. This could also be said that the name of the role is given by 'cn' the attribute.

You can use rather complex filters. For example, here is a filter used for a customer that needs to trigger a dynlist overlay on OpenLDAP.

(&(objectClass=ExoMembership)(membershipURL=*))