Re: ACLs using dynlist overlay

[Howard Chu <hyc@symas.com>]

Michael Ströder wrote:
> Mattes wrote:
> > Dear collected list wisdom,
> >
> > I'm trying to set up access control using membership in a dynamic list.I've activated the dynlist overlay and configured it like this:
> >
> > olcDlAttrSet: groupOfURLs memberURL member
> >
> > and installed an ACL:
> >
> > olcAccess: to dn.regex=".+,<some base>"
> > by self read
> > by group/groupOfURLs/member="<group DN>" search
> >
> > Browsing the directory I can see the member attributes being added to the
> > group, but testing access with slapacl I encounter the following error:54ef3976 => bdb_entry_get: found entry: "<group DN>"
> > 54ef3976 <= bdb_entry_get: failed to find attribute member
> >
> > What am I doing wrong?

In general, overlays don't take effect for the offline tools, they only function in slapd itself.

> > N.B.: I _did_ add member to the list of allowed attributes for a groupOfURLs ...
>
> It's important to understand that dynlist overlay generates attribute 'member'
> on the fly when it's read. Did you read section AUTHORIZATION in slapo-dynlist(5)?
>
> Maybe running this as a CRON job is better for your needs:
>
> http://www.stroeder.com/pylib/update_memberurl_groups.py
>
> Ciao, Michael.
>
> --
> E-Mail: michael@stroeder.com
> http://www.stroeder.com


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/