RE: problem with posixGroup in ACL

["Howard Chu" <hyc@highlandsun.com>]

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Matt Richard

> Hi,
>
> I have seen this question asked before, but never saw an answer:
> http://www.openldap.org/lists/openldap-software/200303/msg00164.html
>
> I am attempting to use an LDAP group in an ACL, to permit write
> access for members of a specific group.
>
> I am using the following ACL:
>
>    access to *
>       by
> group/posixGroup/memberUid="cn=admin,cn=groups,dc=example,dc=e
> du" write
>       by * read
>
> I am getting the following error when running
> /usr/local/libexec/slapd -d65535:
>
> /usr/local/etc/openldap/slapd.conf: line 58: group
> "cn=admin,cn=groups,dc=fandm,dc=edu": inappropriate syntax:
> 1.3.6.1.4.1.1466.115.121.1.26
>
> This is working in specific Apple releases of OpenLDAP for Mac OSX
> Server, but not in the OpenLDAP release 2.1.22.
>
> Can anyone help clue me in to the problem here?  Is there a specific
> patch available to make this work?

An ACL specifier must have DistinguishedName syntax. memberUid uses the wrong
syntax. memberUid is obsolete, you should be using RFC2307bis and
groupOfNames/member instead of memberUid.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support