HELP with ACLs (dyngroup or set)

[Owen DeLong <owen@delong.com>]

I have a Fedora Core 3 server with OpenLDAP 2.2.23 installed from the
tarball on the openldap.org web site.

I am using nss_ldap 220 (Fedora distributed RPM).

I need  a way to use the authorizedService attribute (specifically
authorizedService=site-admin) to allow users to have write access to
the entire directory (that is, any user whose DN would be returned
by:

ldapsearch -x '(&(objectClass=posixAccount)(authorizedService=site-admin))' 
dn

should have full write access to everything in the directory.

I've tried doing this with sets and with a dynamic group.  Neither appears
to work (insufficient access).

Here's my ACL using sets:

access to *
        by set="user.authorizedService & [site-admin]" write
        ...

Here's my attempt using a dynamic group:

access to *
        by group="cn=site-admins,ou=groups,dc=example,dc=com"
        ...

Here's the dynamic group in LDIF format:
dn: cn=site-admins,ou=groups,dc=bluewater-aquatics,dc=com
objectClass: top
objectClass: groupOfURLs
cn: site-admins
memberURL: ldap:///ou=people,dc=example,dc=com??sub?
	(authorizedService=site-admin)

(note: linebreak between sub? and (auhorized... does not really exist
in the database, but, is here for clarity)

If anyone understands either of these concepts well enough to help me
make this work, I would be very grateful for your assistance.

I am becoming somewhat desperate to get this working.

Thanks,

Owen

-- 
If it wasn't crypto-signed, it probably didn't come from me.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)

iD8DBQFCG6BNn5zKWQ/iqj0RAlBKAJ9Mu6oirnCm2VByaDaPOAx8XTWlWQCeJ6DQ
M9RqvKXWIeSFiJWMKhAYGKI=Z4ib
-----END PGP SIGNATURE-----