15 files changed, 149 insertions, 7 deletions

diff --git a/apps/user_ldap/group_ldap.php b/apps/user_ldap/group_ldap.php
index 76152e1780a..05ab9ddfaae 100644
--- a/apps/user_ldap/group_ldap.php
+++ b/apps/user_ldap/group_ldap.php
@@ -12,6 +12,7 @@
  * @author Robin McCorkell <robin@mccorkell.me.uk>
  * @author Thomas Müller <thomas.mueller@tmit.eu>
  * @author Vincent Petry <pvince81@owncloud.com>
+ * @author Richard Bentley <rbentley@e2advance.com>
  *
  * @copyright Copyright (c) 2016, ownCloud, Inc.
  * @license AGPL-3.0
@@ -148,6 +149,46 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface {
 
 	/**
 	 * @param string $dnGroup
+	 * @return array
+	 *
+	 * For a group that has user membership defined by an LDAP search url attribute returns the users
+	 * that match the search url otherwise returns an empty array.
+	 */
+	public function getDynamicGroupMembers($dnGroup) {
+		$dynamicGroupMemberURL = strtolower($this->access->connection->ldapDynamicGroupMemberURL);
+
+		if (empty($dynamicGroupMemberURL)) {
+			return array();
+		}
+
+		$dynamicMembers = array();
+		$memberURLs = $this->access->readAttribute(
+			$dnGroup,
+			$dynamicGroupMemberURL,
+			$this->access->connection->ldapGroupFilter
+		);
+		if ($memberURLs !== false) {
+			// this group has the 'memberURL' attribute so this is a dynamic group
+			// example 1: ldap:///cn=users,cn=accounts,dc=dcsubbase,dc=dcbase??one?(o=HeadOffice)
+			// example 2: ldap:///cn=users,cn=accounts,dc=dcsubbase,dc=dcbase??one?(&(o=HeadOffice)(uidNumber>=500))
+			$pos = strpos($memberURLs[0], '(');
+			if ($pos !== false) {
+				$memberUrlFilter = substr($memberURLs[0], $pos);
+				$foundMembers = $this->access->searchUsers($memberUrlFilter,'dn');
+				$dynamicMembers = array();
+				foreach($foundMembers as $value) {
+					$dynamicMembers[$value['dn'][0]] = 1;
+				}
+			} else {
+				\OCP\Util::writeLog('user_ldap', 'No search filter found on member url '.
+					'of group ' . $dnGroup, \OCP\Util::DEBUG);
+			}
+		}
+		return $dynamicMembers;
+	}
+
+	/**
+	 * @param string $dnGroup
 	 * @param array|null &$seen
 	 * @return array|mixed|null
 	 */
@@ -180,6 +221,9 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface {
 				}
 			}
 		}
+		
+		$allMembers = array_merge($allMembers, $this->getDynamicGroupMembers($dnGroup));
+		
 		$this->access->connection->writeToCache($cacheKey, $allMembers);
 		return $allMembers;
 	}
@@ -387,6 +431,8 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface {
 	 *
 	 * This function fetches all groups a user belongs to. It does not check
 	 * if the user exists at all.
+	 *
+	 * This function includes groups based on dynamic group membership.
 	 */
 	public function getUserGroups($uid) {
 		if(!$this->enabled) {
@@ -405,6 +451,41 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface {
 		$groups = [];
 		$primaryGroup = $this->getUserPrimaryGroup($userDN);
 
+		$dynamicGroupMemberURL = strtolower($this->access->connection->ldapDynamicGroupMemberURL);
+
+		if (!empty($dynamicGroupMemberURL)) {
+			// look through dynamic groups to add them to the result array if needed
+			$groupsToMatch = $this->access->fetchListOfGroups(
+				$this->access->connection->ldapGroupFilter,array('dn',$dynamicGroupMemberURL));
+			foreach($groupsToMatch as $dynamicGroup) {
+				if (!array_key_exists($dynamicGroupMemberURL, $dynamicGroup)) {
+					continue;
+				}
+				$pos = strpos($dynamicGroup[$dynamicGroupMemberURL][0], '(');
+				if ($pos !== false) {
+					$memberUrlFilter = substr($dynamicGroup[$dynamicGroupMemberURL][0],$pos);
+					// apply filter via ldap search to see if this user is in this
+					// dynamic group
+					$userMatch = $this->access->readAttribute(
+						$uid,
+						$this->access->connection->ldapUserDisplayName,
+						$memberUrlFilter
+					);
+					if ($userMatch !== false) {
+						// match found so this user is in this group
+						$pos = strpos($dynamicGroup['dn'][0], ',');
+						if ($pos !== false) {
+							$membershipGroup = substr($dynamicGroup['dn'][0],3,$pos-3);
+							$groups[] = $membershipGroup;
+						}
+					}
+				} else {
+					\OCP\Util::writeLog('user_ldap', 'No search filter found on member url '.
+						'of group ' . print_r($dynamicGroup, true), \OCP\Util::DEBUG);
+				}
+			}
+		}
+
 		// if possible, read out membership via memberOf. It's far faster than
 		// performing a search, which still is a fallback later.
 		if(intval($this->access->connection->hasMemberOfFilterSupport) === 1
diff --git a/apps/user_ldap/js/wizard/wizardTabAdvanced.js b/apps/user_ldap/js/wizard/wizardTabAdvanced.js
index d85dde0ccdf..d1e5002d40a 100644
--- a/apps/user_ldap/js/wizard/wizardTabAdvanced.js
+++ b/apps/user_ldap/js/wizard/wizardTabAdvanced.js
@@ -83,6 +83,10 @@ OCA = OCA || {};
 					$element: $('#ldap_group_member_assoc_attribute'),
 					setMethod: 'setGroupMemberAssociationAttribute'
 				},
+				ldap_dynamic_group_member_url: {
+					$element: $('#ldap_dynamic_group_member_url'),
+					setMethod: 'setDynamicGroupMemberURL'
+				},
 				ldap_nested_groups: {
 					$element: $('#ldap_nested_groups'),
 					setMethod: 'setUseNestedGroups'
@@ -258,6 +262,15 @@ OCA = OCA || {};
 		},
 
 		/**
+		  * sets the dynamic group member url attribute
+		  *
+		  * @param {string} attribute
+		  */
+		setDynamicGroupMemberURL: function(attribute) {
+			this.setElementValue(this.managedItems.ldap_dynamic_group_member_url.$element, attribute);
+		},
+                
+		/**
 		 * enabled or disables the use of nested groups (groups in groups in
 		 * groups…)
 		 *
diff --git a/apps/user_ldap/l10n/he.js b/apps/user_ldap/l10n/he.js
index 56be7447e72..0e4b78f0373 100644
--- a/apps/user_ldap/l10n/he.js
+++ b/apps/user_ldap/l10n/he.js
@@ -113,7 +113,16 @@ OC.L10N.register(
     "Turn off SSL certificate validation." : "כיבוי אימות אישורי אבטחה SSL.",
     "in seconds. A change empties the cache." : "בשניות. שינוי מרוקן את המטמון.",
     "Directory Settings" : "הגדרות תיקייה",
+    "User Display Name Field" : "שדה שם תצוגה למשתמש",
     "Base User Tree" : "עץ משתמש בסיסי",
-    "in bytes" : "בבתים"
+    "Base Group Tree" : "עץ קבוצה בסיסי",
+    "Group Search Attributes" : "מאפייני חיפוש קבוצה",
+    "Special Attributes" : "מאפיינים מיוחדים",
+    "Quota Field" : "שדה מכסה",
+    "Quota Default" : "ברירת מחדל מכסה",
+    "in bytes" : "בבתים",
+    "Email Field" : "שדה דואר אלקטרוני",
+    "Internal Username" : "שם משתמש פנימי",
+    "Internal Username Attribute:" : "מאפיין שם משתמש פנימי:"
 },
 "nplurals=2; plural=(n != 1);");
diff --git a/apps/user_ldap/l10n/he.json b/apps/user_ldap/l10n/he.json
index ca2ba2f91a6..21b0cbb70a4 100644
--- a/apps/user_ldap/l10n/he.json
+++ b/apps/user_ldap/l10n/he.json
@@ -111,7 +111,16 @@
     "Turn off SSL certificate validation." : "כיבוי אימות אישורי אבטחה SSL.",
     "in seconds. A change empties the cache." : "בשניות. שינוי מרוקן את המטמון.",
     "Directory Settings" : "הגדרות תיקייה",
+    "User Display Name Field" : "שדה שם תצוגה למשתמש",
     "Base User Tree" : "עץ משתמש בסיסי",
-    "in bytes" : "בבתים"
+    "Base Group Tree" : "עץ קבוצה בסיסי",
+    "Group Search Attributes" : "מאפייני חיפוש קבוצה",
+    "Special Attributes" : "מאפיינים מיוחדים",
+    "Quota Field" : "שדה מכסה",
+    "Quota Default" : "ברירת מחדל מכסה",
+    "in bytes" : "בבתים",
+    "Email Field" : "שדה דואר אלקטרוני",
+    "Internal Username" : "שם משתמש פנימי",
+    "Internal Username Attribute:" : "מאפיין שם משתמש פנימי:"
 },"pluralForm" :"nplurals=2; plural=(n != 1);"
 }
\ No newline at end of file
diff --git a/apps/user_ldap/l10n/it.js b/apps/user_ldap/l10n/it.js
index 8bb42e1a72a..8f51e607ab7 100644
--- a/apps/user_ldap/l10n/it.js
+++ b/apps/user_ldap/l10n/it.js
@@ -132,6 +132,8 @@ OC.L10N.register(
     "One Group Base DN per line" : "Un DN base gruppo per riga",
     "Group Search Attributes" : "Attributi di ricerca gruppo",
     "Group-Member association" : "Associazione gruppo-utente ",
+    "Dynamic Group Member URL" : "URL membro di gruppo dinamico",
+    "The LDAP attribute that on group objects contains an LDAP search URL that determines what objects belong to the group. (An empty setting disables dynamic group membership functionality.)" : "L'attributo LDAP che sugli oggetti di gruppo contiene un URL di ricerca LDAP che determina quali oggetti appartengono al gruppo. (Un valore vuoto disabilità la funzionalità di appartenenza ai gruppi dinamica)",
     "Nested Groups" : "Gruppi nidificati",
     "When switched on, groups that contain groups are supported. (Only works if the group member attribute contains DNs.)" : "Quando è attivato, i gruppi che contengono altri gruppi sono supportati. (Funziona solo se l'attributo del gruppo membro contiene DN.)",
     "Paging chunksize" : "Dimensione del blocco di paginazione",
diff --git a/apps/user_ldap/l10n/it.json b/apps/user_ldap/l10n/it.json
index 73234261016..575ac66c5b5 100644
--- a/apps/user_ldap/l10n/it.json
+++ b/apps/user_ldap/l10n/it.json
@@ -130,6 +130,8 @@
     "One Group Base DN per line" : "Un DN base gruppo per riga",
     "Group Search Attributes" : "Attributi di ricerca gruppo",
     "Group-Member association" : "Associazione gruppo-utente ",
+    "Dynamic Group Member URL" : "URL membro di gruppo dinamico",
+    "The LDAP attribute that on group objects contains an LDAP search URL that determines what objects belong to the group. (An empty setting disables dynamic group membership functionality.)" : "L'attributo LDAP che sugli oggetti di gruppo contiene un URL di ricerca LDAP che determina quali oggetti appartengono al gruppo. (Un valore vuoto disabilità la funzionalità di appartenenza ai gruppi dinamica)",
     "Nested Groups" : "Gruppi nidificati",
     "When switched on, groups that contain groups are supported. (Only works if the group member attribute contains DNs.)" : "Quando è attivato, i gruppi che contengono altri gruppi sono supportati. (Funziona solo se l'attributo del gruppo membro contiene DN.)",
     "Paging chunksize" : "Dimensione del blocco di paginazione",
diff --git a/apps/user_ldap/l10n/pt_BR.js b/apps/user_ldap/l10n/pt_BR.js
index e027c930ceb..8e52b17dce6 100644
--- a/apps/user_ldap/l10n/pt_BR.js
+++ b/apps/user_ldap/l10n/pt_BR.js
@@ -132,6 +132,8 @@ OC.L10N.register(
     "One Group Base DN per line" : "Um grupo-base DN por linha",
     "Group Search Attributes" : "Atributos de Busca de Grupo",
     "Group-Member association" : "Associação Grupo-Membro",
+    "Dynamic Group Member URL" : "Membro do Grupo Dinâmico URL",
+    "The LDAP attribute that on group objects contains an LDAP search URL that determines what objects belong to the group. (An empty setting disables dynamic group membership functionality.)" : "O atributo LDAP que em objetos do grupo contém uma pesquisa URL LDAP que determina quais objetos pertencem ao grupo. (Um cenário vazio desativa a funcionalidade de membros de grupo dinâmico.)",
     "Nested Groups" : "Grupos Aninhados",
     "When switched on, groups that contain groups are supported. (Only works if the group member attribute contains DNs.)" : "Quando habilitado, os grupos que contêm os grupos são suportados. (Só funciona se o atributo de membro de grupo contém DNs.)",
     "Paging chunksize" : "Bloco de paginação",
diff --git a/apps/user_ldap/l10n/pt_BR.json b/apps/user_ldap/l10n/pt_BR.json
index 8251fa082a6..4ca70230a19 100644
--- a/apps/user_ldap/l10n/pt_BR.json
+++ b/apps/user_ldap/l10n/pt_BR.json
@@ -130,6 +130,8 @@
     "One Group Base DN per line" : "Um grupo-base DN por linha",
     "Group Search Attributes" : "Atributos de Busca de Grupo",
     "Group-Member association" : "Associação Grupo-Membro",
+    "Dynamic Group Member URL" : "Membro do Grupo Dinâmico URL",
+    "The LDAP attribute that on group objects contains an LDAP search URL that determines what objects belong to the group. (An empty setting disables dynamic group membership functionality.)" : "O atributo LDAP que em objetos do grupo contém uma pesquisa URL LDAP que determina quais objetos pertencem ao grupo. (Um cenário vazio desativa a funcionalidade de membros de grupo dinâmico.)",
     "Nested Groups" : "Grupos Aninhados",
     "When switched on, groups that contain groups are supported. (Only works if the group member attribute contains DNs.)" : "Quando habilitado, os grupos que contêm os grupos são suportados. (Só funciona se o atributo de membro de grupo contém DNs.)",
     "Paging chunksize" : "Bloco de paginação",
diff --git a/apps/user_ldap/l10n/pt_PT.js b/apps/user_ldap/l10n/pt_PT.js
index d6bd1d9d515..7845d4427a0 100644
--- a/apps/user_ldap/l10n/pt_PT.js
+++ b/apps/user_ldap/l10n/pt_PT.js
@@ -132,6 +132,8 @@ OC.L10N.register(
     "One Group Base DN per line" : "Uma base de grupo DN por linha",
     "Group Search Attributes" : "Atributos de pesquisa de grupo",
     "Group-Member association" : "Associar utilizador ao grupo.",
+    "Dynamic Group Member URL" : "URL Dinâmica de Membro do Grupo",
+    "The LDAP attribute that on group objects contains an LDAP search URL that determines what objects belong to the group. (An empty setting disables dynamic group membership functionality.)" : "O atributo LDAP que em objetos de grupo contém um URL de pesquisa LDAP que determina que objetos pertencem ao grupo. (Uma definição vazia desativa a funcionalidade de membros de grupo dinâmico.)",
     "Nested Groups" : "Grupos agrupados",
     "When switched on, groups that contain groups are supported. (Only works if the group member attribute contains DNs.)" : "Quando habilitado os grupos, os grupos são suportados. (Só funciona se o atributo de membro de grupo contém DNs.)",
     "Paging chunksize" : "Bloco de paginação",
diff --git a/apps/user_ldap/l10n/pt_PT.json b/apps/user_ldap/l10n/pt_PT.json
index 8073db3efa6..b0538292937 100644
--- a/apps/user_ldap/l10n/pt_PT.json
+++ b/apps/user_ldap/l10n/pt_PT.json
@@ -130,6 +130,8 @@
     "One Group Base DN per line" : "Uma base de grupo DN por linha",
     "Group Search Attributes" : "Atributos de pesquisa de grupo",
     "Group-Member association" : "Associar utilizador ao grupo.",
+    "Dynamic Group Member URL" : "URL Dinâmica de Membro do Grupo",
+    "The LDAP attribute that on group objects contains an LDAP search URL that determines what objects belong to the group. (An empty setting disables dynamic group membership functionality.)" : "O atributo LDAP que em objetos de grupo contém um URL de pesquisa LDAP que determina que objetos pertencem ao grupo. (Uma definição vazia desativa a funcionalidade de membros de grupo dinâmico.)",
     "Nested Groups" : "Grupos agrupados",
     "When switched on, groups that contain groups are supported. (Only works if the group member attribute contains DNs.)" : "Quando habilitado os grupos, os grupos são suportados. (Só funciona se o atributo de membro de grupo contém DNs.)",
     "Paging chunksize" : "Bloco de paginação",
diff --git a/apps/user_ldap/l10n/sq.js b/apps/user_ldap/l10n/sq.js
index aaebf07862d..e2db8bfe618 100644
--- a/apps/user_ldap/l10n/sq.js
+++ b/apps/user_ldap/l10n/sq.js
@@ -132,8 +132,12 @@ OC.L10N.register(
     "One Group Base DN per line" : "Një DN Bazë Grupi për rresht",
     "Group Search Attributes" : "Atribute Kërkimi Grupi",
     "Group-Member association" : "Përshoqërim Grup-Përdorues",
+    "Dynamic Group Member URL" : "URL Anëtari Grupi Dinamik",
+    "The LDAP attribute that on group objects contains an LDAP search URL that determines what objects belong to the group. (An empty setting disables dynamic group membership functionality.)" : "Atributi LDAP që në objekte grupi përmban një URL kërkimi LDAP që përcakton se cilat objekte i përkasin grupit. (Nëse rregullimi lihet i zbrazët, funksioni i anëtarësisë në grup dinamik.)",
     "Nested Groups" : "Grupe Brenda Njëri-Tjetrit",
     "When switched on, groups that contain groups are supported. (Only works if the group member attribute contains DNs.)" : "Kur aktivizohet, grupet që përmbajnë grupe mbulohen. (Funksionon vetëm nëse atributi për anëtar grupi përmban DN-ra.)",
+    "Paging chunksize" : "Madhësi  copash faqosjeje",
+    "Chunksize used for paged LDAP searches that may return bulky results like user or group enumeration. (Setting it 0 disables paged LDAP searches in those situations.)" : "Madhësi copash të përdorura për kërkime LDAP të sistemuara në faqe, kërkime që japin përfundime të papërpunuara, të tilla si numër përdoruesish ose grupesh. (Caktimi si 0 i çaktivizon kërkimet e faqosura LDAP për këto raste.)",
     "Special Attributes" : "Atribute Speciale",
     "Quota Field" : "Fushë Kuotash",
     "Quota Default" : "Parazgjedhje Kuotash",
diff --git a/apps/user_ldap/l10n/sq.json b/apps/user_ldap/l10n/sq.json
index 335a42630b5..93ae9c7b818 100644
--- a/apps/user_ldap/l10n/sq.json
+++ b/apps/user_ldap/l10n/sq.json
@@ -130,8 +130,12 @@
     "One Group Base DN per line" : "Një DN Bazë Grupi për rresht",
     "Group Search Attributes" : "Atribute Kërkimi Grupi",
     "Group-Member association" : "Përshoqërim Grup-Përdorues",
+    "Dynamic Group Member URL" : "URL Anëtari Grupi Dinamik",
+    "The LDAP attribute that on group objects contains an LDAP search URL that determines what objects belong to the group. (An empty setting disables dynamic group membership functionality.)" : "Atributi LDAP që në objekte grupi përmban një URL kërkimi LDAP që përcakton se cilat objekte i përkasin grupit. (Nëse rregullimi lihet i zbrazët, funksioni i anëtarësisë në grup dinamik.)",
     "Nested Groups" : "Grupe Brenda Njëri-Tjetrit",
     "When switched on, groups that contain groups are supported. (Only works if the group member attribute contains DNs.)" : "Kur aktivizohet, grupet që përmbajnë grupe mbulohen. (Funksionon vetëm nëse atributi për anëtar grupi përmban DN-ra.)",
+    "Paging chunksize" : "Madhësi  copash faqosjeje",
+    "Chunksize used for paged LDAP searches that may return bulky results like user or group enumeration. (Setting it 0 disables paged LDAP searches in those situations.)" : "Madhësi copash të përdorura për kërkime LDAP të sistemuara në faqe, kërkime që japin përfundime të papërpunuara, të tilla si numër përdoruesish ose grupesh. (Caktimi si 0 i çaktivizon kërkimet e faqosura LDAP për këto raste.)",
     "Special Attributes" : "Atribute Speciale",
     "Quota Field" : "Fushë Kuotash",
     "Quota Default" : "Parazgjedhje Kuotash",
diff --git a/apps/user_ldap/lib/configuration.php b/apps/user_ldap/lib/configuration.php
index 752f3e81a3e..f829160b62a 100644
--- a/apps/user_ldap/lib/configuration.php
+++ b/apps/user_ldap/lib/configuration.php
@@ -7,6 +7,7 @@
  * @author Lukas Reschke <lukas@owncloud.com>
  * @author Morris Jobke <hey@morrisjobke.de>
  * @author Robin McCorkell <robin@mccorkell.me.uk>
+ * @author Richard Bentley <rbentley@e2advance.com>
  *
  * @copyright Copyright (c) 2016, ownCloud, Inc.
  * @license AGPL-3.0
@@ -84,6 +85,7 @@ class Configuration {
 		'lastJpegPhotoLookup' => null,
 		'ldapNestedGroups' => false,
 		'ldapPagingSize' => null,
+		'ldapDynamicGroupMemberURL' => null,
 	);
 
 	/**
@@ -442,6 +444,7 @@ class Configuration {
 			'ldap_nested_groups'                => 0,
 			'ldap_paging_size'                  => 500,
 			'ldap_experienced_admin'            => 0,
+			'ldap_dynamic_group_member_url'     => '',
 		);
 	}
 
@@ -496,7 +499,8 @@ class Configuration {
 			'last_jpegPhoto_lookup'             => 'lastJpegPhotoLookup',
 			'ldap_nested_groups'                => 'ldapNestedGroups',
 			'ldap_paging_size'                  => 'ldapPagingSize',
-			'ldap_experienced_admin'            => 'ldapExperiencedAdmin'
+			'ldap_experienced_admin'            => 'ldapExperiencedAdmin',
+			'ldap_dynamic_group_member_url'     => 'ldapDynamicGroupMemberURL',
 		);
 		return $array;
 	}
diff --git a/apps/user_ldap/templates/settings.php b/apps/user_ldap/templates/settings.php
index 3ba106bec9f..23e6d5591a9 100644
--- a/apps/user_ldap/templates/settings.php
+++ b/apps/user_ldap/templates/settings.php
@@ -91,6 +91,7 @@ style('user_ldap', 'settings');
 				<p><label for="ldap_base_groups"><?php p($l->t('Base Group Tree'));?></label><textarea id="ldap_base_groups" name="ldap_base_groups" placeholder="<?php p($l->t('One Group Base DN per line'));?>" data-default="<?php p($_['ldap_base_groups_default']); ?>" title="<?php p($l->t('Base Group Tree'));?>"></textarea></p>
 				<p><label for="ldap_attributes_for_group_search"><?php p($l->t('Group Search Attributes'));?></label><textarea id="ldap_attributes_for_group_search" name="ldap_attributes_for_group_search" placeholder="<?php p($l->t('Optional; one attribute per line'));?>" data-default="<?php p($_['ldap_attributes_for_group_search_default']); ?>" title="<?php p($l->t('Group Search Attributes'));?>"></textarea></p>
 				<p><label for="ldap_group_member_assoc_attribute"><?php p($l->t('Group-Member association'));?></label><select id="ldap_group_member_assoc_attribute" name="ldap_group_member_assoc_attribute" data-default="<?php p($_['ldap_group_member_assoc_attribute_default']); ?>" ><option value="uniqueMember"<?php if (isset($_['ldap_group_member_assoc_attribute']) && ($_['ldap_group_member_assoc_attribute'] === 'uniqueMember')) p(' selected'); ?>>uniqueMember</option><option value="memberUid"<?php if (isset($_['ldap_group_member_assoc_attribute']) && ($_['ldap_group_member_assoc_attribute'] === 'memberUid')) p(' selected'); ?>>memberUid</option><option value="member"<?php if (isset($_['ldap_group_member_assoc_attribute']) && ($_['ldap_group_member_assoc_attribute'] === 'member')) p(' selected'); ?>>member (AD)</option></select></p>
+				<p><label for="ldap_dynamic_group_member_url"><?php p($l->t('Dynamic Group Member URL'));?></label><input type="text" id="ldap_dynamic_group_member_url" name="ldap_dynamic_group_member_url" title="<?php p($l->t('The LDAP attribute that on group objects contains an LDAP search URL that determines what objects belong to the group. (An empty setting disables dynamic group membership functionality.)'));?>" data-default="<?php p($_['ldap_dynamic_group_member_url_default']); ?>" /></p>
 				<p><label for="ldap_nested_groups"><?php p($l->t('Nested Groups'));?></label><input type="checkbox" id="ldap_nested_groups" name="ldap_nested_groups" value="1" data-default="<?php p($_['ldap_nested_groups_default']); ?>"  title="<?php p($l->t('When switched on, groups that contain groups are supported. (Only works if the group member attribute contains DNs.)'));?>" /></p>
 				<p><label for="ldap_paging_size"><?php p($l->t('Paging chunksize'));?></label><input type="number" id="ldap_paging_size" name="ldap_paging_size" title="<?php p($l->t('Chunksize used for paged LDAP searches that may return bulky results like user or group enumeration. (Setting it 0 disables paged LDAP searches in those situations.)'));?>" data-default="<?php p($_['ldap_paging_size_default']); ?>" /></p>
 			</div>
diff --git a/apps/user_ldap/tests/group_ldap.php b/apps/user_ldap/tests/group_ldap.php
index 5f9ded878ca..667a1c3acb2 100644
--- a/apps/user_ldap/tests/group_ldap.php
+++ b/apps/user_ldap/tests/group_ldap.php
@@ -67,10 +67,13 @@ class Test_Group_Ldap extends \Test\TestCase {
 
 	private function enableGroups($access) {
 		$access->connection->expects($this->any())
-			   ->method('__get')
-			   ->will($this->returnCallback(function() {
-					return 1;
-			   }));
+			->method('__get')
+			->will($this->returnCallback(function($name) {
+				if($name === 'ldapDynamicGroupMemberURL') {
+					return '';
+				}
+				return 1;
+			}));
 	}
 
 	public function testCountEmptySearchString() {
@@ -430,6 +433,8 @@ class Test_Group_Ldap extends \Test\TestCase {
 			->will($this->returnCallback(function($name) {
 				if($name === 'useMemberOfToDetectMembership') {
 					return 0;
+				} else if($name === 'ldapDynamicGroupMemberURL') {
+					return '';
 				}
 				return 1;
 			}));