--On Friday, June 9, 2023 5:13 PM +0200 Souji Thenria mail@souji-thenria.net wrote:
On 08.06.2023 23:15, Quanah Gibson-Mount wrote:
I tried to use group=... and group.exact=... without success. The Administrator's Guide [1] says that group=... assumes that the objectClass is "groupOfNames", and if I use another objectClass, I should use: by group/<objectclass>/<attributename>=<DN> <access>
That is for static groups, not dynamic groups.
In that case, what's the correct approach to use a dynamic group inside an olcAccess rule? The Administrator's Guide says that dynamic groups are supported. But either I am blind, or both the slapo-dynlist(5) man page and the Dynamic Lists overlay section (in the Administrator's Guide) do not include information about ACLS.
Howard already noted you can simply use group ACLs.
You've not provided any examples of the 'group' ACLs you provided, nor the full context of your ACLs, so they may have not worked for any number of reasons.
This is the full ACL I was using: to attrs=userPassword by group="cn=test,ou=Groups,ou=System,dc=example,dc=local" read by self write by anonymous auth
This lacks context, which I also noted was necessary.
There's zero information on:
a) what database this ACL is applied to, could be the cn=config db for all I know b) what ACLs may precede it that would take precedent.
--Quanah