I have a problem with assigning access permissions based on group membership which may be a bug with Netscape Directory Server 4.12. I'm running on Solaris 8. I have Users below a new ou (ou=myproject people, o=myorg.com). I assign "all" access to that ou based on membership of a new group cn=mygroup, ou=Groups, o=MyOrg.com. When a user (from ou=People) is a member of mygroup, they have "all" access to objects in myproject people. So far so good. Problem: 1. A user (cn=myuser, ou=People, o=myorg.com) is a member of mygroup and can access objects in ou=myproject people. -> OK. 2. Remove the myuser from mygroup. User can no longer access objects in ou=myproject people. -> OK. 3. Re add myuser as a member of mygroup. User can still not access objects in ou=myproject people. -> BUG!!!!!!! 4. stop and start ns-slapd and user myuser then has access again to ou=myproject people. Obviously I shouldn't have to restart slapd to make this work. In the case where it doesn't work (point 3. above) there is a message in the errors log (with errorlevel 128) saying "Found the client [....] in the NOT MEMBER group list cache [....]. What I think is happening is that when the user is removed from the members list in the group, it is added to the NOT MEMBER group list cache. Unfortunately it stays there even when the user is re-added. It works on ns-slapd restart because the cache gets cleared. Any ideas? Anyone know if this is fixed in newer versions? (I've tried 4.13). Can anyone think of a workaround (apart from ns-slapd restart). This is a big problem for us and will cause headaches in production. I want to be able to control access rights according to group membership. Surely this is a common use of group membership. Thanks in advance.
