On Friday 16 March 2007, Bernhard D Rohrer wrote:
hi folks
I have the following ACL for my groups:
# Access to groups addressbooks
# allow read of addressbook by members and egwadmin account access to dn.regex="^cn=([^,]+),ou=shared,ou=contacts,dc=graylion,dc=net$" attrs=entry by group.expand="cn=$1,ou=groups,dc=graylion,dc=net" read by dn.regex="cn=admin,dc=graylion,dc=net" write by users none
# allow members to create entries in there group addressbooks; no-one else can access it # needs write access to the entries ENTRY attribute ... access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,dc=graylion,dc=net$" attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha by group.expand="cn=$1,ou=groups,dc=graylion,dc=net" write by users none
# ... and the entries CHILDREN access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,dc=graylion,dc=net$" attrs=children by group.expand="cn=$1,ou=groups,dc=graylion,dc=net" write by users none
the LDIF of one of my groups is:
dn: cn=GraylionEnterprises,ou=groups,dc=graylion,dc=net cn: GraylionEnterprises gidNumber: 7 memberUid: user1 memberUid: user2 memberUid: user3 memberUid: ... objectClass: top objectClass: posixGroup
and the log shows this error:
Mar 15 17:20:27 diskslave slapd[6657]: => bdb_entry_get: found entry: "cn=graylionenterprises,ou=groups,dc=graylion,dc=net" Mar 15 17:20:27 diskslave slapd[6657]: <= bdb_entry_get: failed to find objectClass
while eGW shoes this error:
Error saving the contact !!! Insufficient access: so_ldap: 503
what is wrong? Anybody have any ideas?
You can't use a posixGroup (where the member attribute values are non-DN-valued) for ACLs without sets.
Either use a groupOfNames with member attribute (which contains the dn of the member, not the uid), or use sets (I believe there is an example on the FAQ-o-matic).
Regards, Buchan