Re: Recursive ACL entries (group member of group)

[Jan Fricke <fanatikneo@gmx.de>]

> Hi,
> 
> This can be acheived using ACL sets. There is in fact an example of
> exactly this use case in the admin guide!
>> http://www.openldap.org/doc/admin24/access-control.html#Sets -
>> Granting rights based on relationships
> 
> It is noted in the documentation that sets are experimental. Just to add
> a word onto that, I use sets in several production environments, and
> have absolutely no stability problems.
> 
> However, depending on the sets you use, the performance hit can be
> important (sets can fire off thousands of search requests just to
> evaluate one ACL, if they're badly written). Also, ACLs with sets are
> not cached.
> 
> Hope this helps,
> Jonathan

Thanks a lot!
This should work. But unfortunately it does not :-(

My ACL looks like this now:

access to dn.sub="ou=agents,dc=myDomain"
        filter=(objectclass=person)
        by set="[cn=UserManagement,ou=rights,dc=myDomain]/member*" write
        by self read


cn=Test,ou=agents,dc=myDomain
is a member of
cn=supervisor,ou=groups,dc=myDomain
which is a member of
cn=UserManagement,ou=rights,dc=myDomain

Test has write access to all other agents. But he still has the right
when I remove cn=supervisor... from the Usermanagement group.

Any idea why? How can I debug ACLs? Is it possible so print infos or do
something like setting breakpoints?


Jan