On 2/14/22 23:39, Howard Chu wrote:
Michael Ströder wrote:
I'm experimenting to replace slapo-memberof to slapo-dynlist in Æ-DIR's slapd.conf.
Ok, basically it works but...
Thus I have ACLs like this and which don't work for these clients (lines wrapped):
There's nothing dynlist is doing that would cause this ACL to break, if it worked before with slapo-memberof.
Well, I appreciate you confirming that it's supposed to work, but it doesn't always work...
In particular, by the time an ACL check is performed, the entire entry has been constructed, including the memberof attribute values.
I should have noted that it's a search with filter (memberOf=..) which fails in cases where the set.expand <who> clause would grant the search access. Does that make a difference?
access to dn.subtree="ou=ae-dir" filter="(objectClass=posixAccount)" attrs=memberOf val.regex="^.+$" [..] by set.expand="(user/-1 | user/aeSrvGroup | user/-1/aeProxyFor) & [ldap:///ou=ae-dir?entryDN?sub?(&(objectClass=aeSrvGroup)(aeStatus=0)(aeVisibleGroups=${v0}))]/entryDN" read [..] by * none
Ciao, Michael.