--On Friday, June 9, 2023 5:13 PM +0200 Souji Thenria
<[email protected]> wrote:
On 08.06.2023 23:15, Quanah Gibson-Mount wrote:
I tried to use group=... and group.exact=... without success.
The Administrator's Guide [1] says that group=... assumes that the
objectClass is "groupOfNames", and if I use another objectClass, I
should use:
by group/<objectclass>/<attributename>=<DN> <access>
That is for static groups, not dynamic groups.
In that case, what's the correct approach to use a dynamic group inside
an olcAccess rule?
The Administrator's Guide says that dynamic groups are supported. But
either I am blind, or both the slapo-dynlist(5) man page and the Dynamic
Lists overlay section (in the Administrator's Guide) do not include
information about ACLS.
Howard already noted you can simply use group ACLs.
You've not provided any examples of the 'group' ACLs you provided, nor
the full context of your ACLs, so they may have not worked for any
number of reasons.
This is the full ACL I was using:
to attrs=userPassword
by group="cn=test,ou=Groups,ou=System,dc=example,dc=local" read
by self write
by anonymous auth
This lacks context, which I also noted was necessary.
There's zero information on:
a) what database this ACL is applied to, could be the cn=config db for all
I know
b) what ACLs may precede it that would take precedent.
--Quanah
