[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL problem posixgroup/groupofnames (w/ corrected)

Jim C. wrote:

So why doesn't the syntax provided by faq-o-matic for granting access


problem you're experiencing. Can you elaborate on it?

See slapd.access(5).

Also, you seem to have missed this note in the referenced

  Note: the specified member attribute type MUST be of DN syntax
  and the specified object class SHOULD allow the attribute type.
That is, your attempt to use memberUid and posixGroup here
is invalid.

uh... because you are not supposed to put dn's in a memberUid attribute?

Great. So what it seems like you are telling me is that the LDAP schema's for the memberUid attribute are dreadfully out of date. I suppose then that my readers and I will have to live with the redundancy, obscene and unmanageable as it is.

Jim C.

The schema in question, which defines posixGroup, is certainly out of date. There is RFC2307bis which updates the group semantics to use proper DNs, but even that draft expried a long time ago, and no update has been published. Still, if you adopt RFC2307bis you'll be in better shape than you are at the moment.

 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support