[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL's and dynlist confusion

Howard Chu wrote:
Ski Kacoroski wrote:
My test account is a member of ldapadmins:

dn: cn=ldapadmins,ou=Groups,dc=nsd,dc=org
cn: ldapadmins
objectClass: nsdGroupOfMemberURLs
nsdGroupOwner: Technology
description: ldapadmins management group
memberURL: ldap:///ou=staff,ou=people,dc=nsd,dc=org??sub?(nsdGroups= ldapadmins
gidNumber: 11011
member: uid=test2,ou=staff,ou=People,dc=nsd,dc=org

However, when I try to access an object:

Why is it asking for the groupOfNames objectclass. Do I have to add this object class to my schema for dynlists?

You have to read slapd.access(5) and understand how to properly specify a group ACL.

Ok, I went through this page and I am still missing something. I tried the following:

1. Changed ACL to:
access to *
group/nsdGroupOfMemberURLs/member="cn=LdapAdmins,ou=Groups,dc=nsd,dc=org" write
by * none

To get slapd to start, I had to change the schema definition to include member as an attribute so I am pretty sure this is not correct.

I also saw a brief message where you suggested using the set statement instead of groups because it would be more efficient, but could not get that to work either.

Appreciate any pointers you can provide.



"When we try to pick out anything by itself, we find it
 connected to the entire universe"            John Muir

Chris "Ski" Kacoroski, ski@nsd.org, 206-501-9803