Hi

I am trying to garnt users access to a group by there group membership. Because the groups are posixgroups and not groupofnames I have tried the following ACL's according to (running openldap-2.3.27-5)

http://www.openldap.org/faq/data/cache/1133.html and http://www.mail-archive.com/openldap-software@openldap.org/msg08524.html

access to dn.sub="cn=Domain Admins,ou=Groups,dc=byn,dc=drv" by set="([uid=] + ([cn=domain admins,ou=groups,dc=byn,dc=drv])/memberUid + [,ou=users,dc=byn,dc=drv]) & user" write by * none

or

by set="user/uid & [cn=Domain Admins,ou=Groups,dc=byn,dc=drv]/memberUid" write

The group has the folowing members

dn: cn=Domain Admins,ou=Groups,dc=byn,dc=drv memberUid: NetAdmin1 memberUid: Netadmin5 memberUid: NT_IEXPLORE memberUid: Siadmin memberUid: Netadmin3 memberUid: NT_FSecure

but a search as uid=Netadmin3,ou=Users,dc=byn,dc=drv

does not succeedd

Here the logs

Oct 26 12:41:11 master slapd[18574]: => access_allowed: search access to "cn=Domain Admins,ou=Groups,dc=byn,dc=drv" "cn" requested Oct 26 12:41:11 master slapd[18574]: => dn: [3] cn=domain admins,ou=groups,dc=byn,dc=drv Oct 26 12:41:11 master slapd[18574]: => acl_get: [3] matched Oct 26 12:41:11 master slapd[18574]: => acl_get: [3] attr cn Oct 26 12:41:11 master slapd[18574]: => acl_mask: access to entry "cn=Domain Admins,ou=Groups,dc=byn,dc=drv", attr "cn" requested Oct 26 12:41:11 master slapd[18574]: => acl_mask: to value by "uid=netadmin3,ou=users,dc=byn,dc=drv", (=0) Oct 26 12:41:11 master slapd[18574]: <= check a_set_pat: ([uid=] + ([cn=domain admins,ou=groups,dc=byn,dc=drv])/memberUid + [,ou=users,dc=byn,dc=drv]) & user Oct 26 12:41:11 master slapd[18574]: >>> dnNormalize: <cn=domain admins,ou=groups,dc=byn,dc=drv> Oct 26 12:41:11 master slapd[18574]: <<< dnNormalize: <cn=domain admins,ou=groups,dc=byn,dc=drv> Oct 26 12:41:11 master slapd[18574]: <= check a_dn_pat: * Oct 26 12:41:11 master slapd[18574]: <= acl_mask: [2] applying none(=0) (stop) Oct 26 12:41:11 master slapd[18574]: <= acl_mask: [2] mask: none(=0) Oct 26 12:41:11 master slapd[18574]: => access_allowed: search access denied by none(=0)

If I use something simple like by set="([uid=] + user/uid + [,ou=users,dc=byn,dc=drv]) & user " write in order to test if by set works, the search works

Oct 26 12:35:45 master slapd[18488]: => acl_mask: to value by "uid=netadmin3,ou=users,dc=byn,dc=drv", (=0) Oct 26 12:35:45 master slapd[18488]: <= check a_set_pat: ([uid=] + user/uid + [,ou=users,dc=byn,dc=drv]) & user Oct 26 12:35:45 master slapd[18488]: >>> dnNormalize: <uid=netadmin3,ou=users,dc=byn,dc=drv> Oct 26 12:35:45 master slapd[18488]: <<< dnNormalize: <uid=netadmin3,ou=users,dc=byn,dc=drv> Oct 26 12:35:45 master slapd[18488]: => bdb_entry_get: ndn: "uid=netadmin3,ou=users,dc=byn,dc=drv" Oct 26 12:35:45 master slapd[18488]: => bdb_entry_get: oc: "(null)", at: "uid" Oct 26 12:35:45 master slapd[18488]: bdb_dn2entry("uid=netadmin3,ou=users,dc=byn,dc=drv") Oct 26 12:35:45 master slapd[18488]: => bdb_entry_get: found entry: "uid=netadmin3,ou=users,dc=byn,dc=drv" Oct 26 12:35:45 master slapd[18488]: bdb_entry_get: rc=0 Oct 26 12:35:45 master slapd[18488]: <= acl_mask: [1] applying write(=wrscxd) (stop) Oct 26 12:35:45 master slapd[18488]: <= acl_mask: [1] mask: write(=wrscxd) Oct 26 12:35:45 master slapd[18488]: => access_allowed: read access granted by write(=wrscxd) Oct 26 12:35:45 master slapd[18488]: conn=0 op=1 ENTRY dn="cn=domain admins,ou=groups,dc=byn,dc=drv"

It seems that the ([cn=domain admins,ou=groups,dc=byn,dc=drv])/memberUid is not expanded to all members I have tried several cases (Groups or groups) with no success.

Is this the correct way of using posixgroups for ldap acl's? If not, what is the right way? If yes, what am I doing wrong?

greetings

hansjörg