[Date Prev][Date Next] [Chronological] [Thread] [Top]

access control for opattrs (memberof overlay)

To: openldap-technical@openldap.org
Subject: access control for opattrs (memberof overlay)
From: Peter Schober <peter.schober@univie.ac.at>
Date: Wed, 6 Apr 2011 16:48:20 +0200
Content-disposition: inline
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=univie.ac.at; s=rev2; h=Content-Type:MIME-Version:Message-ID:Subject:To:From:Date; bh=w21/euMkzCH+rbmO7c5PEvhweUY0N/jDokm+TbJP8PY=; b=Gs6t7CRHxpRxi2zUmi03vfkKaWUGXUfd0yRZak4KAwj0rHTAQ29Yqh6rVxKpk9u4hfnxICFflnF6UCTfqm6yJQMM9nV4yDJQQd2ZTn9+MHItYihqLSVB8vYGhG8+FTYGqrbm6/mG7llBGJL4KxAoSIQOaWfOgJAljOwE2vVKx+c=;
Mail-followup-to: openldap-technical@openldap.org
Organization: Vienna University Computer Center
User-agent: Mutt

How do I control access to operational attributes, in this case
memberOf by the eponymous overlay? While I can put an index on
'memberOf' I can't seem to use it in an <attrlist> as part of an ACL:

  unknown attr "memberOf" in to clause

(This is on 2.4.22 with all default settings for the memberof overlay
and on a syncrepl consumer. The Changelog up to 2.4.25 does not show
relevant issues from ITS, AFAICT.)

Neither the slapd.access man page, FAQ or admin guide were of help wrt
controlling access to operational attributes (but I may have
overlooked something).
(I also tried giving access to the 'entry' pseudo attribute, which
didn't change the behaviour).

How then are people controlling access to group memberships as
provided by the memberof overlay?

cheers,
-peter

Follow-Ups:
- Re: access control for opattrs (memberof overlay)
  - From: Marc Patermann <hans.moser@ofd-z.niedersachsen.de>

Prev by Date: Re: fedora and openldap
Next by Date: slapo-accesslog
Index(es):
- Chronological
- Thread