On Fri, Jun 09, 2023 at 04:13:46PM +0200, Souji Thenria wrote: > On 08.06.2023 23:15, Quanah Gibson-Mount wrote: >>> I tried to use group=... and group.exact=... without success. >>> The Administrator's Guide [1] says that group=... assumes that the >>> objectClass is "groupOfNames", and if I use another objectClass, I >>> should use: >>> by group/<objectclass>/<attributename>=<DN> <access> >> >> That is for static groups, not dynamic groups. > > In that case, what's the correct approach to use a dynamic group inside > an olcAccess rule? > The Administrator's Guide says that dynamic groups are supported. But > either I am blind, or both the slapo-dynlist(5) man page and the Dynamic > Lists overlay section (in the Administrator's Guide) do not include > information about ACLS.
See "man 5 slapd.access", it mentions both static groups (a DN-syntax attribute) and dynamic groups (attribute derived from labeledURI) in the "by groups=..." fragment. Dynlist isn't involved in ACL processing and you do not need to load/configure it for this to happen. Regards, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
