Hi
I am trying to garnt users access to a group by there group membership. Because the groups are posixgroups and not groupofnames I have tried the following ACL's according to (running openldap-2.3.27-5)
http://www.openldap.org/faq/data/cache/1133.html and http://www.mail-archive.com/openldap-software@openldap.org/msg08524.html
access to dn.sub="cn=Domain Admins,ou=Groups,dc=byn,dc=drv" by set="([uid=] + ([cn=domain admins,ou=groups,dc=byn,dc=drv])/memberUid + [,ou=users,dc=byn,dc=drv]) & user" write by * none
or
by set="user/uid & [cn=Domain Admins,ou=Groups,dc=byn,dc=drv]/memberUid" write
The group has the folowing members
dn: cn=Domain Admins,ou=Groups,dc=byn,dc=drv memberUid: NetAdmin1 memberUid: Netadmin5 memberUid: NT_IEXPLORE memberUid: Siadmin memberUid: Netadmin3 memberUid: NT_FSecure
but a search as uid=Netadmin3,ou=Users,dc=byn,dc=drv
does not succeedd
Here the logs
Oct 26 12:41:11 master slapd[18574]: => access_allowed: search access to "cn=Domain Admins,ou=Groups,dc=byn,dc=drv" "cn" requested Oct 26 12:41:11 master slapd[18574]: => dn: [3] cn=domain admins,ou=groups,dc=byn,dc=drv Oct 26 12:41:11 master slapd[18574]: => acl_get: [3] matched Oct 26 12:41:11 master slapd[18574]: => acl_get: [3] attr cn Oct 26 12:41:11 master slapd[18574]: => acl_mask: access to entry "cn=Domain Admins,ou=Groups,dc=byn,dc=drv", attr "cn" requested Oct 26 12:41:11 master slapd[18574]: => acl_mask: to value by "uid=netadmin3,ou=users,dc=byn,dc=drv", (=0) Oct 26 12:41:11 master slapd[18574]: <= check a_set_pat: ([uid=] + ([cn=domain admins,ou=groups,dc=byn,dc=drv])/memberUid + [,ou=users,dc=byn,dc=drv]) & user Oct 26 12:41:11 master slapd[18574]: >>> dnNormalize: <cn=domain admins,ou=groups,dc=byn,dc=drv> Oct 26 12:41:11 master slapd[18574]: <<< dnNormalize: <cn=domain admins,ou=groups,dc=byn,dc=drv> Oct 26 12:41:11 master slapd[18574]: <= check a_dn_pat: * Oct 26 12:41:11 master slapd[18574]: <= acl_mask: [2] applying none(=0) (stop) Oct 26 12:41:11 master slapd[18574]: <= acl_mask: [2] mask: none(=0) Oct 26 12:41:11 master slapd[18574]: => access_allowed: search access denied by none(=0)
If I use something simple like by set="([uid=] + user/uid + [,ou=users,dc=byn,dc=drv]) & user " write in order to test if by set works, the search works
Oct 26 12:35:45 master slapd[18488]: => acl_mask: to value by "uid=netadmin3,ou=users,dc=byn,dc=drv", (=0) Oct 26 12:35:45 master slapd[18488]: <= check a_set_pat: ([uid=] + user/uid + [,ou=users,dc=byn,dc=drv]) & user Oct 26 12:35:45 master slapd[18488]: >>> dnNormalize: <uid=netadmin3,ou=users,dc=byn,dc=drv> Oct 26 12:35:45 master slapd[18488]: <<< dnNormalize: <uid=netadmin3,ou=users,dc=byn,dc=drv> Oct 26 12:35:45 master slapd[18488]: => bdb_entry_get: ndn: "uid=netadmin3,ou=users,dc=byn,dc=drv" Oct 26 12:35:45 master slapd[18488]: => bdb_entry_get: oc: "(null)", at: "uid" Oct 26 12:35:45 master slapd[18488]: bdb_dn2entry("uid=netadmin3,ou=users,dc=byn,dc=drv") Oct 26 12:35:45 master slapd[18488]: => bdb_entry_get: found entry: "uid=netadmin3,ou=users,dc=byn,dc=drv" Oct 26 12:35:45 master slapd[18488]: bdb_entry_get: rc=0 Oct 26 12:35:45 master slapd[18488]: <= acl_mask: [1] applying write(=wrscxd) (stop) Oct 26 12:35:45 master slapd[18488]: <= acl_mask: [1] mask: write(=wrscxd) Oct 26 12:35:45 master slapd[18488]: => access_allowed: read access granted by write(=wrscxd) Oct 26 12:35:45 master slapd[18488]: conn=0 op=1 ENTRY dn="cn=domain admins,ou=groups,dc=byn,dc=drv"
It seems that the ([cn=domain admins,ou=groups,dc=byn,dc=drv])/memberUid is not expanded to all members I have tried several cases (Groups or groups) with no success.
Is this the correct way of using posixgroups for ldap acl's? If not, what is the right way? If yes, what am I doing wrong?
greetings
hansjörg