Bernhard D Rohrer graylion@sm-wg.net writes:
hi folks
I have the following ACL for my groups:
# Access to groups addressbooks
# allow read of addressbook by members and egwadmin account access to dn.regex="^cn=([^,]+),ou=shared,ou=contacts,dc=graylion,dc=net$" attrs=entry by group.expand="cn=$1,ou=groups,dc=graylion,dc=net" read by dn.regex="cn=admin,dc=graylion,dc=net" write by users none
# allow members to create entries in there group addressbooks; no-one else can access it # needs write access to the entries ENTRY attribute ... access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,dc=graylion,dc=net$" attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha by group.expand="cn=$1,ou=groups,dc=graylion,dc=net" write by users none
# ... and the entries CHILDREN access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,dc=graylion,dc=net$" attrs=children by group.expand="cn=$1,ou=groups,dc=graylion,dc=net" write by users none
the LDIF of one of my groups is:
dn: cn=GraylionEnterprises,ou=groups,dc=graylion,dc=net cn: GraylionEnterprises gidNumber: 7 memberUid: user1 memberUid: user2 memberUid: user3 memberUid: ... objectClass: top objectClass: posixGroup
and the log shows this error:
Mar 15 17:20:27 diskslave slapd[6657]: => bdb_entry_get: found entry: "cn=graylionenterprises,ou=groups,dc=graylion,dc=net" Mar 15 17:20:27 diskslave slapd[6657]: <= bdb_entry_get: failed to find objectClass
See man slapd.access(5), the dn style group expects objectclass groupOfnames as default. if you use other object classes, you have to define these, something like 'by group/posixgroup/memberUid' If you use posixgroup it might be necessary to map the memberUid attribute value to a dn.
-Dieter