That was just an example I wrote while writing the email. Actual one does have a "by".
The ACLs parse without warning (except the catch-all where dn=*). This is the real one in my slapd config:
access to dn.regex="^[^,]+,ou=resources,(ou=[^,]+,ou=MyNs,dc=MyCompany,dc=com)$" attrs="entry,@MyResourceClasss" by group/groupOfNames/member.expand="cn=admins,ou=groups,$1" +w continue by * break
Thanks
-Rakesh
On Fri, Nov 11, 2011 at 11:58 AM, Quanah Gibson-Mount quanah@zimbra.comwrote:
--On Friday, November 11, 2011 11:40 AM -0800 Rakesh Aggarwal < rakesh.aggarwal@gmail.com> wrote:
Hi folks!
I am using OpenLdap 2.4.23 on RedHat, and using Apache Directory Studio as the client on a different machine.
I am having issues trying to setup ACL using Group. The only non-standard aspect in my schema design is that the groups container is located in a organization specific sub-tree of DIT and not under DIT root, e.g.
access to dn.subtree="ou=resources,ou=**dept1,ou=ns1,dc=example,dc=** com" attrs = "entry,@myResourceClass" group.exact="cn=myadmin,ou=**groups,ou=dept1,ou=ns1,dc=**example,dc=com" write continue by * break
access to * by * read
What you pasted is not a valid ACL statement. I expect it to fail. You may want to try adding the word "by" in front of "group.exact".
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc.
Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org