Re: ACL using netgroups
Hi Dieter,
> Hello Dieter,
> thanks for your reply.
> I tried as you suggested:
>
> by dn="cn=ldapauth,dc=example,dc=com" \
> group/nisNetgroup/nisNetgroupTriple=cn=linuxa,ou=netgroup,dc=example,dc=com
> read
>
> Unfortunately it does not work:
>
> [...]
>
> If that matters, I am using openldap 2.2.13.
Ah your historic version might be a problem. I can't remember,
in
which version the group expansion has been implemented.
My slapd.access(5) OpenLDAP-2.3.27 states
THE <WHO> FIELD
[...]
It can have the forms
[ other forms deleted ]
group[/<objectclass>[/<attrname>]]
Actually I have the same syntax available in my slapd.access:
<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]
[dnattr=<attrname>]
[group[/<objectclass>[/<attrname>]][.<style>]=<group>]
[peername[.<peernamestyle>]=<peer>]
[sockname[.<style>]=<name>]
[domain[.<domainstyle>]=<domain>]
[sockurl[.<style>]=<url>]
So probably the error is somewhere else. I report it again for the list
(sorry, I replied to Dieter only instead of the list the first time):
Checking configuration files for slurpd: /etc/openldap/userauth.acl:
line 82: group "cn=linuxa,ou=netgroup,dc=example,dc=com": inappropriate
syntax: 1.3.6.1.1.1.0.0
<access clause> ::= access to <what> [ by <who> <access> [
<control> ] ]+
(...)
Any hints?
Thanks again
Claudio