On 2/14/22 23:39, Howard Chu wrote:
Michael Ströder wrote:
> I'm experimenting to replace slapo-memberof to slapo-dynlist in Æ-DIR's
> Ok, basically it works but...
> Thus I have ACLs like this and which don't work for these clients (lines
There's nothing dynlist is doing that would cause this ACL to break,
if it worked before with slapo-memberof.
Well, I appreciate you confirming that
it's supposed to work, but it
doesn't always work...
In particular, by the time an ACL check is performed, the entire
entry has been constructed, including the memberof attribute values.
I should have
noted that it's a search with filter (memberOf=..) which
fails in cases where the set.expand <who> clause would grant the search
access. Does that make a difference?
> access to
> by set.expand="(user/-1 | user/aeSrvGroup | user/-1/aeProxyFor) &
> by * none