That was just an example I wrote while writing the email. Actual one does
have a "by".
The ACLs parse without warning (except the catch-all where dn=*). This is
the real one in my slapd config:
access to
dn.regex="^[^,]+,ou=resources,(ou=[^,]+,ou=MyNs,dc=MyCompany,dc=com)$"
attrs="entry,@MyResourceClasss"
by group/groupOfNames/member.expand="cn=admins,ou=groups,$1" +w continue
by * break
Thanks
-Rakesh
On Fri, Nov 11, 2011 at 11:58 AM, Quanah Gibson-Mount <[email protected]>wrote:
> --On Friday, November 11, 2011 11:40 AM -0800 Rakesh Aggarwal <
> [email protected]> wrote:
>
>
>> Hi folks!
>>
>> I am using OpenLdap 2.4.23 on RedHat, and using Apache Directory Studio
>> as the client on a different machine.
>>
>> I am having issues trying to setup ACL using Group. The only non-standard
>> aspect in my schema design is that the groups container is located in a
>> organization specific sub-tree of DIT and not under DIT root, e.g.
>>
>> access to dn.subtree="ou=resources,ou=**dept1,ou=ns1,dc=example,dc=**
>> com"
>> attrs = "entry,@myResourceClass"
>> group.exact="cn=myadmin,ou=**groups,ou=dept1,ou=ns1,dc=**example,dc=com"
>> write continue
>> by * break
>>
>> access to * by * read
>>
>
> What you pasted is not a valid ACL statement. I expect it to fail. You
> may want to try adding the word "by" in front of "group.exact".
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
