ACLs along these lines should do the rest
Actually, this doesn't seem to work:
access to dn.exact="ou=Group,dc=example" attrs=children by users write by * break
access to dn.subtree="ou=Group,dc=example" attrs=entry filter="(&(objectClass=posixGroup)(objectClass=myGroup)(gidNumber>=1000)(gidNumber<=10000))" by users add by * break
access to dn.subtree="ou=Group,dc=example" attrs=manager,memberUid,description,myStatus by set="this/manager & user" write by * break
If I take out the "filter" line, it works fine, but with the "filter" line there it doesn't work, regardless of what gidNumber I provide.
The OpenLDAP log with "acl" logging enabled is attached. What do I need to add to these ACLs to get this working? I tried adding all the group-specific attributes to the "attrs=entry" line, but that did not help.
Tim Gustafson Baskin School of Engineering UC Santa Cruz tjg@soe.ucsc.edu 831-459-5354