mbackes@symas.com wrote:
The reason is quite simple: set expansion uses the rewritten DN as the user's name, so a local lookup of the entry "cn=user,dc=remote" fails since no local database serves the naming context "dc=remote". The root cause is that back-ldap binds as the rewritten DN, which is later stored as the real identity. I think this was done on purpose, and is to some extent appropriate, but makes the type of ACL you want to design basically impossible. A solution would be to make slapo-rwm intercept successful binds (in the cleanup callback) and rewrite back the bound DN into the virtual naming context. I'll see if it is possible, but then we need to decide whether this is the desired behavior. Otherwise, we'd need to have two o_ndn fields: the real DN and the real-real DN.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: ando@sys-net.it -----------------------------------