M. P. wrote: >> In this case slapo-refint's own modification is internal and therefore >> refint_nothing applys. But it does apply when the modification comes from an >> external LDAP client. > > Isn't there a "not" missing in the last sentence ? Yes, should read "But it does not apply". >> Thinking about the empty-groupOfNames-problem some more I consider to define a >> cn=dummy value to be always present in groupOfNames entries and apply >> val-based ACLs to make it invisible and unremovable for normal clients (even >> the ones maintaining the groups). > > Yep, I thought about some trick like this. I thought also about the > modification of the groupOfNames objectClass but this one does not have the > preference of my manager :) Yes, mucking around with standard schema descriptions is not the right way. You could use groupOfEntries which was exactly defined for that purpose: https://tools.ietf.org/html/draft-findlay-ldap-groupofentries > I have to find now how to add automaticcally a user to a group. ;) Whatever "automatically" means in your context... Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature