<quote who="Alina Dubrovska"> > Gavin, > > Thank you for reply and suggestion about support services! > However, I'm looking forward that somebody from the list is familiar with > sets syntax for defining an ACL and would be able to determine if ACL like > this is correct: > > *access to attrs=employeeType,employeeNumber > by self write > by set="[cn=System > Administrator,ou=groups,dc=domain,dc=com]/uniqueMember* & user" write > by * read*
Switch on ACL debugging and run slapd by hand to check. > > So, we have a parent group (groupOfUniqueNames, "System Administrator") > and > all members should be granted access permission to modify specific > attributes. Then we need to have ability to add new child groups in > runtime, > so that all child group members would be automatically granted the same > set > of permissions as parent group. Without modifying slapd.conf and > restarting > server of course. > > Probably there is some important nuance with sets syntax or maybe there is > any another alternative solution? > > Because as I mentioned, with stated ACL we have performance issues on one > OpenLDAP instance and fatal crash on another... Sets are somewhat experimental. Well crashes shouldn't happen, so that should be a bug report via http://www.openldap.org/its. Please read http://www.openldap.org/doc/admin24/troubleshooting.html for submitting proper bug reports.
