[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: access control 'set=' problem (ITS#3140)
Hello,
This is working if the group "cn=admins,o=myorg,c=fr" contains the users who
are allowed to bind. In my case, this group contains another group which
contains the allowed users (and possibly other groups).
In fact, the set="[cn=admins,o=myorg,c=fr]/member* & user" syntax performs a
recursive check of all members from groups and sub-groups. Maybe is there
another way to perform such a recursive check ?
So with your access control and my example ldif, the user
"cn=toto,ou=people,o=myorg,c=fr" is not allowed to write in the directory,
whereas he can with the "set=" directive. The problem is that an unbind
search crashes with openldap 2.2.x with this access control.
Thanks for your time,
Herve
> I'm not quite familiar with sets in ACLs, but don't you get
> exactly the same result by using group ACLs rules? Why don't
> you try
>
> access to *
> by group.exact="cn=admins,o=myorg,c=fr" write
> by * read
>
> Of course the crash is a bug...
>
> p.