Michael Ströder wrote:
HI!
I'm experimenting to replace slapo-memberof to slapo-dynlist in Æ-DIR's slapd.conf.
Ok, basically it works but...
Æ-DIR trys hard to follow need-to-know-principle. This means that memberOf values are only made visible to clients which they have defined to be visible on.
Thus I have ACLs like this and which don't work for these clients (lines wrapped):
There's nothing dynlist is doing that would cause this ACL to break, if it worked before with slapo-memberof. In particular, by the time an ACL check is performed, the entire entry has been constructed, including the memberof attribute values. You're going to have to dig into this further on your own.
access to dn.subtree="ou=ae-dir" filter="(objectClass=posixAccount)" attrs=memberOf val.regex="^.+$" [..] by set.expand="(user/-1 | user/aeSrvGroup | user/-1/aeProxyFor) & [ldap:///ou=ae-dir?entryDN?sub?(&(objectClass=aeSrvGroup)(aeStatus=0)(aeVisibleGroups=${v0}))]/entryDN" read [..] by * none
I'm aware that this is quite special. But is there any chance that something like this will be ever supported?
The alternative would be to implement an external update process for maintaining 'memberOf'. :-/
Ciao, Michael.