Howard Chu wrote:Ski Kacoroski wrote:Ok, I went through this page and I am still missing something. I tried the following:My test account is a member of ldapadmins:
dn: cn=ldapadmins,ou=Groups,dc=nsd,dc=org
cn: ldapadmins
objectClass: nsdGroupOfMemberURLs
nsdGroupOwner: Technology
description: ldapadmins management group
memberURL: ldap:///ou=staff,ou=people,dc=nsd,dc=org??sub?(nsdGroups= ldapadmins
)
gidNumber: 11011
member: uid=test2,ou=staff,ou=People,dc=nsd,dc=org
However, when I try to access an object:
Why is it asking for the groupOfNames objectclass. Do I have to add this object class to my schema for dynlists?You have to read slapd.access(5) and understand how to properly specify a group ACL.
1. Changed ACL to:
access to *
by
group/nsdGroupOfMemberURLs/member="cn=LdapAdmins,ou=Groups,dc=nsd,dc= org" write
by * none
To get slapd to start, I had to change the schema definition to include member as an attribute so I am pretty sure this is not correct.
I also saw a brief message where you suggested using the set statement instead of groups because it would be more efficient, but could not get that to work either.
I would never have said any such thing. Sets are notoriously *in*efficient.
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/