[Date Prev][Date Next]
Re: ACLs using dynlist overlay
Am Montag, 02. März 2015 18:49 CET, Michael Ströder <firstname.lastname@example.org> schrieb:
> Mattes wrote:
> > Dear collected list wisdom,
> > I'm trying to set up access control using membership in a dynamic list.I've activated the dynlist overlay and configured it like this:
> > olcDlAttrSet: groupOfURLs memberURL member
> > and installed an ACL:
> > olcAccess: to dn.regex=".+,<some base>"
> > by self read
> > by group/groupOfURLs/member="<group DN>" search
> > Browsing the directory I can see the member attributes being added to the
> > group, but testing access with slapacl I encounter the following error:54ef3976 => bdb_entry_get: found entry: "<group DN>"
> > 54ef3976 <= bdb_entry_get: failed to find attribute member
> > What am I doing wrong?
> > N.B.: I _did_ add member to the list of allowed attributes for a groupOfURLs ...
> It's important to understand that dynlist overlay generates attribute 'member'
> on the fly when it's read.
I understand. But, to my understanding, both group/objectclass/attrname acls
and set/... acls need to fetch the attributes to do the comparison/set intersection.
> Did you read section AUTHORIZATION in slapo-dynlist(5)?
Yes, I did read that manpage. What are you hinting at? The attribute used to
in the filter part of the ldap url to populate the dyngroup is readable by all (veryfied
> Maybe running this as a CRON job is better for your needs:
Hmm - why. What does this script that the autogroup can't handle?
Thanks, Ralf Mattes
> Ciao, Michael.
> E-Mail: email@example.com