two issues with dyngroups

[Guillaume Rousse <Guillaume.Rousse@inria.fr>]

Hello list.

I'm an happy users of dynlist overlay, in order to make my unix users 
members of their unix primary group:

# admins, groups, msr-inria.inria.fr
dn: cn=admins,ou=groups,dc=msr-inria,dc=inria,dc=fr
objectClass: groupOfURLs
objectClass: posixGroup
gidNumber: 5000
memberURL: 
ldap:///ou=users,dc=msr-inria,dc=inria,dc=fr??sub?(gidNumber=5000)
cn: admins

With this configuration:
# dynamic groups
overlay dynlist
dynlist-attrset groupOfURLs memberURL member

However, I'm facing two issues here.

The first is that dynlist overlay only accept a single configuration 
directive for the whole base, preventing to map differently the request 
URL depending on the context. In my previous example, I need to map the 
URL as DN, because I'm dynamically building a group from users. If I 
wanted to build a group from other group, my  URL would have been 
something as:
ldap:///ou=group,dc=msr-inria,dc=inria,dc=fr?member?sub?(cn=users)

and the configuration directive would have been instead
dynlist-attrset groupOfURLs memberURL

It would be nice to handle the overlay differently there.

The second directive is that ACLs seems to ignore this dynamic group:
# admins
access to dn.subtree="dc=msr-inria,dc=inria,dc=fr"
    by group="cn=admins,ou=groups,dc=msr-inria,dc=inria,dc=fr" write
    by * break

This worked with a static group, it doesn't work anymore with a dynamic 
one as I just presented.

I'm using OpenLDAP 2.4.11. Should I open ITS for those issues ?
--
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62