[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: dynlist groups not usable in ACLs?

To: DRVTiny <mudraia@list.ru>, openldap-technical@openldap.org
Subject: Re: dynlist groups not usable in ACLs?
From: Howard Chu <hyc@symas.com>
Date: Mon, 24 Feb 2014 06:28:51 -0800
In-reply-to: <530B1BA0.2050408@list.ru>
References: <530B1BA0.2050408@list.ru>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26a1

DRVTiny wrote:

OpenLDAP 2.4.39, amd64, debian 7
When i use the group with only static members in  "by
group/groupOfNames/member" clause - all works perfectly
But when i'm trying  to use in ACL definition dynamic members in 1:1
identicaly group - it doesnt work at all and in slapd debug output i see:
---
530b1a22 dnMatch -40
      "dc=ru"
      "uid=konovalov-aa,ou=people,dc=svc,dc=ot,dc=ru"
---
where "dc=ru" is one static member of this group (all others is dynamic
members and it is not compared to
"uid=konovalov-aa,ou=people,dc=svc,dc=ot,dc=ru" at all).

It is very strange behavior, because official documentation says that:

---
Dynamic Groups are also supported in Access Control. Please see
slapo-dynlist(5) and the Dynamic Lists overlay section.
---

Any comments? Can i use dynlist'ed groups in OpenLDAP ACL?

Yes, you can. But you cannot use group/groupOfNames for a dynamic group. Thisis already documented in the manpage.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re[2]: dynlist groups not usable in ACLs?
  - From: ÐÐÐÑÐÐ ÐÐÐÐÐÐÐÐÐ <mudraia@list.ru>

References:
- dynlist groups not usable in ACLs?
  - From: DRVTiny <mudraia@list.ru>

Prev by Date: Re: strategy for getting groupOfNames (AD) and posixAccount (Unix) to coexist?
Next by Date: Re: LMDB - growing the database
Index(es):
- Chronological
- Thread