Re: ACL problem posixgroup/groupofnames (w/ corrected)

[Howard Chu <hyc@symas.com>]

Jim C. wrote:

> > > > > So why doesn't the syntax provided by faq-o-matic for granting access
> > >
> > > ...
> > >
> > > > problem you're experiencing. Can you elaborate on it?
> >
> >
> > See slapd.access(5).
> >
> > Also, you seem to have missed this note in the referenced
> > answer:
> >
> >   Note: the specified member attribute type MUST be of DN syntax
> >   and the specified object class SHOULD allow the attribute type.
> > That is, your attempt to use memberUid and posixGroup here
> > is invalid.
>
>
> uh... because you are not supposed to put dn's in a memberUid attribute?
>
> Great.  So what it seems like you are telling me is that the LDAP 
> schema's for the memberUid attribute are dreadfully out of date. I 
> suppose then that my readers and I will have to live with the 
> redundancy, obscene and unmanageable as it is.
>
> Jim C.

The schema in question, which defines posixGroup, is certainly out of 
date. There is RFC2307bis which updates the group semantics to use 
proper DNs, but even that draft expried a long time ago, and no update 
has been published. Still, if you adopt RFC2307bis you'll be in better 
shape than you are at the moment.

--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support