[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs using dynlist overlay



Am Montag, 02. März 2015 18:49 CET, Michael Ströder <michael@stroeder.com> schrieb:

> Mattes wrote:
> > Dear collected list wisdom,
> >
> > I'm trying to set up access control using membership in a dynamic list.I've activated the dynlist overlay and configured it like this:
> >
> > olcDlAttrSet: groupOfURLs memberURL member
> >
> > and installed an ACL:
> >
> > olcAccess: to dn.regex=".+,<some base>"
> > by self read
> > by group/groupOfURLs/member="<group DN>" search
> >
> > Browsing the directory I can see the member attributes being added to the
> > group, but testing access with slapacl I encounter the following error:54ef3976 => bdb_entry_get: found entry: "<group DN>"
> > 54ef3976 <= bdb_entry_get: failed to find attribute member
> >
> > What am I doing wrong?
> > N.B.: I _did_ add member to the list of allowed attributes for a groupOfURLs ...
>
> It's important to understand that dynlist overlay generates attribute 'member'
> on the fly when it's read.

I understand. But, to my understanding, both group/objectclass/attrname acls
and set/... acls need to fetch the attributes to do the comparison/set intersection.

>  Did you read section AUTHORIZATION in slapo-dynlist(5)?

Yes, I did read that manpage. What are you hinting at? The attribute used to
in the filter part of the ldap url to populate the dyngroup is readable by all (veryfied
with slapacl).

> Maybe running this as a CRON job is better for your needs:
>
> http://www.stroeder.com/pylib/update_memberurl_groups.py

Hmm - why. What does this script that the autogroup can't handle?

Thanks, Ralf Mattes

> Ciao, Michael.
>
> --
> E-Mail: michael@stroeder.com
> http://www.stroeder.com
>