Michael Ströder wrote: > HI! > > I'm experimenting to replace slapo-memberof to slapo-dynlist in Æ-DIR's > slapd.conf. > > Ok, basically it works but... > > Æ-DIR trys hard to follow need-to-know-principle. This means that memberOf > values are only made visible to clients which they have defined to be visible > on. > > Thus I have ACLs like this and which don't work for these clients (lines > wrapped):
There's nothing dynlist is doing that would cause this ACL to break, if it worked before with slapo-memberof. In particular, by the time an ACL check is performed, the entire entry has been constructed, including the memberof attribute values. You're going to have to dig into this further on your own. > > access to > dn.subtree="ou=ae-dir" > filter="(objectClass=posixAccount)" > attrs=memberOf > val.regex="^.+$" > [..] > by set.expand="(user/-1 | user/aeSrvGroup | user/-1/aeProxyFor) & > [ldap:///ou=ae-dir?entryDN?sub?(&(objectClass=aeSrvGroup)(aeStatus=0)(aeVisibleGroups=${v0}))]/entryDN" > read > [..] > by * none > > I'm aware that this is quite special. But is there any chance that something > like this will be ever supported? > > The alternative would be to implement an external update process for > maintaining 'memberOf'. :-/ > > Ciao, Michael. > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
