[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL's and dynlist confusion

Ski Kacoroski wrote:
Howard Chu wrote:
Ski Kacoroski wrote:
My test account is a member of ldapadmins:

dn: cn=ldapadmins,ou=Groups,dc=nsd,dc=org
cn: ldapadmins
objectClass: nsdGroupOfMemberURLs
nsdGroupOwner: Technology
description: ldapadmins management group
memberURL: ldap:///ou=staff,ou=people,dc=nsd,dc=org??sub?(nsdGroups= ldapadmins
gidNumber: 11011
member: uid=test2,ou=staff,ou=People,dc=nsd,dc=org

However, when I try to access an object:

Why is it asking for the groupOfNames objectclass. Do I have to add this object class to my schema for dynlists?

You have to read slapd.access(5) and understand how to properly specify a group ACL.

Ok, I went through this page and I am still missing something. I tried the following:

1. Changed ACL to:
access to *
group/nsdGroupOfMemberURLs/member="cn=LdapAdmins,ou=Groups,dc=nsd,dc= org" write
by * none

To get slapd to start, I had to change the schema definition to include member as an attribute so I am pretty sure this is not correct.

Since it appears you're trying to use a dynamic group, you should have used memberURL not member.

I also saw a brief message where you suggested using the set statement instead of groups because it would be more efficient, but could not get that to work either.

I would never have said any such thing. Sets are notoriously *in*efficient.

 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/