[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Recursive ACL entries (group member of group)

> Hi,
> This can be acheived using ACL sets. There is in fact an example of
> exactly this use case in the admin guide!
>> http://www.openldap.org/doc/admin24/access-control.html#Sets -
>> Granting rights based on relationships
> It is noted in the documentation that sets are experimental. Just to add
> a word onto that, I use sets in several production environments, and
> have absolutely no stability problems.
> However, depending on the sets you use, the performance hit can be
> important (sets can fire off thousands of search requests just to
> evaluate one ACL, if they're badly written). Also, ACLs with sets are
> not cached.
> Hope this helps,
> Jonathan

Thanks a lot!
This should work. But unfortunately it does not :-(

My ACL looks like this now:

access to dn.sub="ou=agents,dc=myDomain"
        by set="[cn=UserManagement,ou=rights,dc=myDomain]/member*" write
        by self read

is a member of
which is a member of

Test has write access to all other agents. But he still has the right
when I remove cn=supervisor... from the Usermanagement group.

Any idea why? How can I debug ACLs? Is it possible so print infos or do
something like setting breakpoints?