[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Recursive access control for groups

<quote who="Alina Dubrovska">
> Gavin,
> Thank you for reply and suggestion about support services!
> However, I'm looking forward that somebody from the list is familiar with
> sets syntax for defining an ACL and would be able to determine if ACL like
> this is correct:
> *access to attrs=employeeType,employeeNumber
>         by self write
>         by set="[cn=System
> Administrator,ou=groups,dc=domain,dc=com]/uniqueMember* & user" write
>         by * read*

Switch on ACL debugging and run slapd by hand to check.

> So, we have a parent group (groupOfUniqueNames, "System Administrator")
> and
> all members should be granted access permission to modify specific
> attributes. Then we need to have ability to add new child groups in
> runtime,
> so that all child group members would be automatically granted the same
> set
> of permissions as parent group. Without modifying slapd.conf and
> restarting
> server of course.
> Probably there is some important nuance with sets syntax or maybe there is
> any another alternative solution?
> Because as I mentioned, with stated ACL we have performance issues on one
> OpenLDAP instance and fatal crash on another...

Sets are somewhat experimental.

Well crashes shouldn't happen, so that should be a bug report via

Please read http://www.openldap.org/doc/admin24/troubleshooting.html for
submitting proper bug reports.