Hello list.
I'm an happy users of dynlist overlay, in order to make my unix users
members of their unix primary group:
# admins, groups, msr-inria.inria.fr
dn: cn=admins,ou=groups,dc=msr-inria,dc=inria,dc=fr
objectClass: groupOfURLs
objectClass: posixGroup
gidNumber: 5000
memberURL:
ldap:///ou=users,dc=msr-inria,dc=inria,dc=fr??sub?(gidNumber=5000)
cn: admins
With this configuration:
# dynamic groups
overlay dynlist
dynlist-attrset groupOfURLs memberURL member
However, I'm facing two issues here.
The first is that dynlist overlay only accept a single configuration
directive for the whole base, preventing to map differently the request
URL depending on the context. In my previous example, I need to map the
URL as DN, because I'm dynamically building a group from users. If I
wanted to build a group from other group, my URL would have been
something as:
ldap:///ou=group,dc=msr-inria,dc=inria,dc=fr?member?sub?(cn=users)
and the configuration directive would have been instead
dynlist-attrset groupOfURLs memberURL
It would be nice to handle the overlay differently there.
The second directive is that ACLs seems to ignore this dynamic group:
# admins
access to dn.subtree="dc=msr-inria,dc=inria,dc=fr"
by group="cn=admins,ou=groups,dc=msr-inria,dc=inria,dc=fr" write
by * break
This worked with a static group, it doesn't work anymore with a dynamic
one as I just presented.
I'm using OpenLDAP 2.4.11. Should I open ITS for those issues ?
--
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62