[Date Prev][Date Next]
Re: Recursive access control for groups
<quote who="Alina Dubrovska">
> Thank you for reply and suggestion about support services!
> However, I'm looking forward that somebody from the list is familiar with
> sets syntax for defining an ACL and would be able to determine if ACL like
> this is correct:
> *access to attrs=employeeType,employeeNumber
> by self write
> by set="[cn=System
> Administrator,ou=groups,dc=domain,dc=com]/uniqueMember* & user" write
> by * read*
Switch on ACL debugging and run slapd by hand to check.
> So, we have a parent group (groupOfUniqueNames, "System Administrator")
> all members should be granted access permission to modify specific
> attributes. Then we need to have ability to add new child groups in
> so that all child group members would be automatically granted the same
> of permissions as parent group. Without modifying slapd.conf and
> server of course.
> Probably there is some important nuance with sets syntax or maybe there is
> any another alternative solution?
> Because as I mentioned, with stated ACL we have performance issues on one
> OpenLDAP instance and fatal crash on another...
Sets are somewhat experimental.
Well crashes shouldn't happen, so that should be a bug report via
Please read http://www.openldap.org/doc/admin24/troubleshooting.html for
submitting proper bug reports.