On 08.06.2023 23:15, Quanah Gibson-Mount wrote:
I tried to use group=... and group.exact=... without success.
The Administrator's Guide [1] says that group=... assumes that the
objectClass is "groupOfNames", and if I use another objectClass, I
should use:
by group/<objectclass>/<attributename>=<DN> <access>
That is for static groups, not dynamic groups.
In that case, what's the correct approach to use a dynamic group inside
an olcAccess rule?
The Administrator's Guide says that dynamic groups are supported. But
either I am blind, or both the slapo-dynlist(5) man page and the Dynamic
Lists overlay section (in the Administrator's Guide) do not include
information about ACLS.
You've not provided any examples of the 'group' ACLs you provided, nor
the full context of your ACLs, so they may have not worked for any
number of reasons.
This is the full ACL I was using:
to attrs=userPassword
by group="cn=test,ou=Groups,ou=System,dc=example,dc=local" read
by self write
by anonymous auth
However, this won't solve my problem in general. Even if the
"by group=..." statement would work, it will give all group members read
permissions on all users "userPassword " attribute. Whereas I want users
in this group only to have read access to their own "userPassword"
attribute, all other users not in this group should be able to change
their own password. That's why I tried to use the "set" statement in the
first place.
to attrs=userPassword
by set="this &
[cn=test,ou=Groups,ou=System,dc=example,dc=local]/member* & user" read
by self write
by anonymous auth
I want to prohibit some users from changing their passwords because they
authenticate via SASL against Active Directory. And if they would change
their password, they are no longer authenticating against the Active
Directory.
--
Souji Thenria
