[Date Prev][Date Next]
Re: ACLs using dynlist overlay
Michael Ströder wrote:
Dear collected list wisdom,
I'm trying to set up access control using membership in a dynamic list.I've activated the dynlist overlay and configured it like this:
olcDlAttrSet: groupOfURLs memberURL member
and installed an ACL:
olcAccess: to dn.regex=".+,<some base>"
by self read
by group/groupOfURLs/member="<group DN>" search
Browsing the directory I can see the member attributes being added to the
group, but testing access with slapacl I encounter the following error:54ef3976 => bdb_entry_get: found entry: "<group DN>"
54ef3976 <= bdb_entry_get: failed to find attribute member
What am I doing wrong?
In general, overlays don't take effect for the offline tools, they only function in slapd itself.
N.B.: I _did_ add member to the list of allowed attributes for a groupOfURLs ...
It's important to understand that dynlist overlay generates attribute 'member'
on the fly when it's read. Did you read section AUTHORIZATION in slapo-dynlist(5)?
Maybe running this as a CRON job is better for your needs:
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/