Hi
this works. Thank you very much. Do you think this might be a general way to give posixgroups ACL in ldap? I found in the archives, that many try to do this...
regards
Hansjörg
Pierangelo Masarati schrieb:
Pierangelo Masarati wrote:
access to dn.sub="cn=Domain Admins,ou=Groups,dc=byn,dc=drv" by set="([uid=] + ([cn=domain admins,ou=groups,dc=byn,dc=drv])/memberUid + [,ou=users,dc=byn,dc=drv]) & user" write by * none
You can check if my analysis was correct and, in that case, work your issue around, by adding another layer of dereferencing to constructed DNs, thus forcing them to be normalized according to uid instead of using memberUid's value. The above rule could be modified as
access to dn.sub="cn=Domain Admins,ou=Groups,dc=byn,dc=drv" by set="([uid=] + ([cn=domain admins,ou=groups,dc=byn,dc=drv])/memberUid + [,ou=users,dc=byn,dc=drv])/entryDN & user" write
(remove all line wrapping, of course).
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it
Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it