[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access control 'set=' problem (ITS#3140)



Hello,

This is working if the group "cn=admins,o=myorg,c=fr" contains the users who
are allowed to bind. In my case, this group contains another group which
contains the allowed users (and possibly other groups).

In fact, the set="[cn=admins,o=myorg,c=fr]/member* & user" syntax performs a
recursive check of all members from groups and sub-groups. Maybe is there
another way to perform such a recursive check ?

So with your access control and my example ldif, the user
"cn=toto,ou=people,o=myorg,c=fr" is not allowed to write in the directory,
whereas he can with the "set=" directive. The problem is that an unbind
search crashes with openldap 2.2.x with this access control.

Thanks for your time,
Herve

> I'm not quite familiar with sets in ACLs, but don't you get
> exactly the same result by using group ACLs rules?  Why don't
> you try
>
> access to *
>         by group.exact="cn=admins,o=myorg,c=fr" write
>         by * read
>
> Of course the crash is a bug...
>
> p.