Openldap + Dynlist + Posixgroup

Issue with Dynamic Groups in OpenLDAP

Its clear that this is not how dynamic groups don't work. In the end I decided to use static groups.

A good answer can be found at : stackoverflow.com/questions/4603570/openldap-dynlist-posixgroup

Best practice for managing POSIX group membership with additional attributes in LDAP

I would suggest that you simply get rid of the first implementation and just use posixGroup. Database denormalization is always a bad idea, whatever form it takes.

And you don't need to extend schemas for this problem. If you want to distinguish these committees just put them them in their own subtree.

But I'd like more detail on why using a dynamic list doesn't work. You could use the memberOf overlay instead of having to do reverse lookups.

openldap ACLs not read

This is covered - I believe - in the OpenLDAP FAQ. Excerpts:

Ordering is very important here. As soon as a subject match occurs,
the mask will be determined and resolution will stop.

The debug message is clear that at rule #3, there is a match. The write by * read component in rule 3 matches the requestor (cn=extra,ou=system,dc=xxxxx,dc=xx), so the processing stops. This means that you need to put the current rule 5 to come before rule 3.

---

Related Topics