> OpenLDAP 2.4.39, amd64, debian 7
> When i use the group with only static members in "by
> group/groupOfNames/member" clause - all works perfectly
> But when i'm trying to use in ACL definition dynamic members in 1:1
> identicaly group - it doesnt work at all and in slapd debug output i see:
> ---
> 530b1a22 dnMatch -40
> "dc=ru"
> "uid=konovalov-aa,ou=people,dc=svc,dc=ot,dc=ru"
> ---
> where "dc=ru" is one static member of this group (all others is dynamic
> members and it is not compared to
> "uid=konovalov-aa,ou=people,dc=svc,dc=ot,dc=ru" at all).
>
> It is very strange behavior, because official documentation says that:
>
> ---
> Dynamic Groups are also supported in Access Control. Please see
> slapo-dynlist(5) and the Dynamic Lists overlay section.
> ---
>
> Any comments? Can i use dynlist'ed groups in OpenLDAP ACL?
Yes, you can. But you cannot use group/groupOfNames for a dynamic group. This
is already documented in the manpage.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/