Re: ACL using Group

[Rakesh Aggarwal <rakesh.aggarwal@gmail.com>]

That was just an example I wrote while writing the email. Actual one does have a "by". 

The ACLs parse without warning (except the catch-all where dn=*). This is the real one in my slapd config:

access to dn.regex="^[^,]+,ou=resources,(ou=[^,]+,ou=MyNs,dc=MyCompany,dc=com)$"


    attrs="entry,@MyResourceClasss"
    by group/groupOfNames/member.expand="cn=admins,ou=groups,$1" +w continue
    by * break

Thanks

-Rakesh

On Fri, Nov 11, 2011 at 11:58 AM, Quanah Gibson-Mount <quanah@zimbra.com> wrote:

--On Friday, November 11, 2011 11:40 AM -0800 Rakesh Aggarwal <rakesh.aggarwal@gmail.com> wrote:

Hi folks!

I am using OpenLdap 2.4.23 on RedHat, and using Apache Directory Studio
as the client on a different machine.

I am having issues trying to setup ACL using Group. The only non-standard
aspect in my schema design is that the groups container is located in a
organization specific sub-tree of DIT and not under DIT root, e.g.

 access to dn.subtree="ou=resources,ou=dept1,ou=ns1,dc=example,dc=com"
 attrs = "entry,@myResourceClass"
 group.exact="cn=myadmin,ou=groups,ou=dept1,ou=ns1,dc=example,dc=com"
write continue
 by * break

access to * by * read

What you pasted is not a valid ACL statement.  I expect it to fail.  You may want to try adding the word "by" in front of "group.exact".

--Quanah


--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration