Quanah pointed out we're running a pretty old version, which could be the culprit. I know + signs in sets aren't supported. I'm slightly less than enthusiastic about upgrading since we rely on LDAP+Samba groups. It's been a few years since I slogged through that implementation, but it may be time to revist.
Cheers, Jason
On 10/26/07, Donn Cave donn@u.washington.edu wrote:
On Oct 26, 2007, at 1:42 PM, Jason Dearborn wrote:
Ack.
Just found this: http://www.openldap.org/lists/openldap-software/200710/msg00343.html and this: http://www.mail-archive.com/openldap-software@openldap.org/ msg08524.html
Looks like other people are trying to work with posixGroups as well.
Well, you see a lot of weird things on the web. I wouldn't take this too seriously.
I have not used posixGroup - we use groupOfNames, just like everyone else except the posixGroup heretics and the groupOfUniqueName heretics. But as far as I know, any of these works the same, and your syntax is right.
If you can turn debugging up on a test service, you can watch the whole authorization thing happen in gory detail. This may uncover an issue that has nothing to do with choice of group schema - like, you're getting stuck on another authorization in the configuration, or your member values don't actually match the authenticated names as intended, etc. I would look at that before giving up on your schema, if you have some other reason to need posixGroup. (If you don't, of course, groupOfNames is the Right Way!)
Donn Cave, donn@u.washington.edu