On 08.06.2023 23:15, Quanah Gibson-Mount wrote:
I tried to use group=... and group.exact=... without success. The Administrator's Guide [1] says that group=... assumes that the objectClass is "groupOfNames", and if I use another objectClass, I should use: by group/<objectclass>/<attributename>=<DN> <access>
That is for static groups, not dynamic groups.
In that case, what's the correct approach to use a dynamic group inside an olcAccess rule? The Administrator's Guide says that dynamic groups are supported. But either I am blind, or both the slapo-dynlist(5) man page and the Dynamic Lists overlay section (in the Administrator's Guide) do not include information about ACLS.
You've not provided any examples of the 'group' ACLs you provided, nor the full context of your ACLs, so they may have not worked for any number of reasons.
This is the full ACL I was using: to attrs=userPassword by group="cn=test,ou=Groups,ou=System,dc=example,dc=local" read by self write by anonymous auth
However, this won't solve my problem in general. Even if the "by group=..." statement would work, it will give all group members read permissions on all users "userPassword " attribute. Whereas I want users in this group only to have read access to their own "userPassword" attribute, all other users not in this group should be able to change their own password. That's why I tried to use the "set" statement in the first place.
to attrs=userPassword by set="this & [cn=test,ou=Groups,ou=System,dc=example,dc=local]/member* & user" read by self write by anonymous auth
I want to prohibit some users from changing their passwords because they authenticate via SASL against Active Directory. And if they would change their password, they are no longer authenticating against the Active Directory.