Thank you very much, Howard! The perfect answer my be found in the slapd.access(5) manpage! I love OpenLDAP for its wonderful documentation and excellent debug capabilities. Thank you again, i am very glad to solve my problem indeed.
Понедельник, 24 февраля 2014, 6:28 -08:00 от Howard Chu <[email protected]>: >DRVTiny wrote: >> OpenLDAP 2.4.39, amd64, debian 7 >> When i use the group with only static members in "by >> group/groupOfNames/member" clause - all works perfectly >> But when i'm trying to use in ACL definition dynamic members in 1:1 >> identicaly group - it doesnt work at all and in slapd debug output i see: >> --- >> 530b1a22 dnMatch -40 >> "dc=ru" >> "uid=konovalov-aa,ou=people,dc=svc,dc=ot,dc=ru" >> --- >> where "dc=ru" is one static member of this group (all others is dynamic >> members and it is not compared to >> "uid=konovalov-aa,ou=people,dc=svc,dc=ot,dc=ru" at all). >> >> It is very strange behavior, because official documentation says that: >> >> --- >> Dynamic Groups are also supported in Access Control. Please see >> slapo-dynlist(5) and the Dynamic Lists overlay section. >> --- >> >> Any comments? Can i use dynlist'ed groups in OpenLDAP ACL? > >Yes, you can. But you cannot use group/groupOfNames for a dynamic group. This >is already documented in the manpage. > >-- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ > -- Андрей Коновалов
