Am Montag, 02. März 2015 18:49 CET, Michael Ströder michael@stroeder.com schrieb:
Mattes wrote:
Dear collected list wisdom,
I'm trying to set up access control using membership in a dynamic list.I've activated the dynlist overlay and configured it like this:
olcDlAttrSet: groupOfURLs memberURL member
and installed an ACL:
olcAccess: to dn.regex=".+,<some base>" by self read by group/groupOfURLs/member="<group DN>" search
Browsing the directory I can see the member attributes being added to the group, but testing access with slapacl I encounter the following error:54ef3976 => bdb_entry_get: found entry: "<group DN>" 54ef3976 <= bdb_entry_get: failed to find attribute member
What am I doing wrong? N.B.: I _did_ add member to the list of allowed attributes for a groupOfURLs ...
It's important to understand that dynlist overlay generates attribute 'member' on the fly when it's read.
I understand. But, to my understanding, both group/objectclass/attrname acls and set/... acls need to fetch the attributes to do the comparison/set intersection.
Did you read section AUTHORIZATION in slapo-dynlist(5)?
Yes, I did read that manpage. What are you hinting at? The attribute used to in the filter part of the ldap url to populate the dyngroup is readable by all (veryfied with slapacl).
Maybe running this as a CRON job is better for your needs:
Hmm - why. What does this script that the autogroup can't handle?
Thanks, Ralf Mattes
Ciao, Michael.
-- E-Mail: michael@stroeder.com http://www.stroeder.com