Thank you very much, Howard! The perfect answer my be found in the slapd.access(5) manpage!
I love OpenLDAP for its wonderful documentation and excellent debug capabilities. Thank you again, i am very glad to solve my problem indeed.


Понедельник, 24 февраля 2014, 6:28 -08:00 от Howard Chu <hyc@symas.com>:
DRVTiny wrote:
> OpenLDAP 2.4.39, amd64, debian 7
> When i use the group with only static members in "by
> group/groupOfNames/member" clause - all works perfectly
> But when i'm trying to use in ACL definition dynamic members in 1:1
> identicaly group - it doesnt work at all and in slapd debug output i see:
> ---
> 530b1a22 dnMatch -40
> "dc=ru"
> "uid=konovalov-aa,ou=people,dc=svc,dc=ot,dc=ru"
> ---
> where "dc=ru" is one static member of this group (all others is dynamic
> members and it is not compared to
> "uid=konovalov-aa,ou=people,dc=svc,dc=ot,dc=ru" at all).
>
> It is very strange behavior, because official documentation says that:
>
> ---
> Dynamic Groups are also supported in Access Control. Please see
> slapo-dynlist(5) and the Dynamic Lists overlay section.
> ---
>
> Any comments? Can i use dynlist'ed groups in OpenLDAP ACL?

Yes, you can. But you cannot use group/groupOfNames for a dynamic group. This
is already documented in the manpage.

--
   -- Howard Chu
   CTO, Symas Corp. http://www.symas.com
   Director, Highland Sun http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP http://www.openldap.org/project/



--
Андрей Коновалов