Pierangelo Masarati wrote:
access to dn.sub="cn=Domain Admins,ou=Groups,dc=byn,dc=drv" by set="([uid=] + ([cn=domain admins,ou=groups,dc=byn,dc=drv])/memberUid + [,ou=users,dc=byn,dc=drv]) & user" write by * none
You can check if my analysis was correct and, in that case, work your issue around, by adding another layer of dereferencing to constructed DNs, thus forcing them to be normalized according to uid instead of using memberUid's value. The above rule could be modified as
access to dn.sub="cn=Domain Admins,ou=Groups,dc=byn,dc=drv" by set="([uid=] + ([cn=domain admins,ou=groups,dc=byn,dc=drv])/memberUid + [,ou=users,dc=byn,dc=drv])/entryDN & user" write
(remove all line wrapping, of course).
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------