Re: ACL's and dynlist confusion

[Ski Kacoroski <ckacoroski@nsd.org>]

Howard Chu wrote:
> Ski Kacoroski wrote:
> > My test account is a member of ldapadmins:
> >
> > dn: cn=ldapadmins,ou=Groups,dc=nsd,dc=org
> > cn: ldapadmins
> > objectClass: nsdGroupOfMemberURLs
> > nsdGroupOwner: Technology
> > description: ldapadmins management group
> > memberURL: ldap:///ou=staff,ou=people,dc=nsd,dc=org??sub?(nsdGroups= 
> > ldapadmins
> >  )
> > gidNumber: 11011
> > member: uid=test2,ou=staff,ou=People,dc=nsd,dc=org
> >
> >
> > However, when I try to access an object:
>
> > Why is it asking for the groupOfNames objectclass.  Do I have to add 
> > this object class to my schema for dynlists?
> You have to read slapd.access(5) and understand how to properly specify 
> a group ACL.
Ok, I went through this page and I am still missing something.  I tried 
the following:

1. Changed ACL to:
access to *
  by
group/nsdGroupOfMemberURLs/member="cn=LdapAdmins,ou=Groups,dc=nsd,dc=org" 
write
   by * none

To get slapd to start, I had to change the schema definition to include 
member as an attribute so I am pretty sure this is not correct.

I also saw a brief message where you suggested using the set statement 
instead of groups because it would be more efficient, but could not get 
that to work either.

Appreciate any pointers you can provide.

cheers,

ski

--
"When we try to pick out anything by itself, we find it
 connected to the entire universe"            John Muir

Chris "Ski" Kacoroski, ski@nsd.org, 206-501-9803