> Hi, > > I have problem with OpenLdap and permission to file. > > --- > First - I set this in my slapd.conf: > > overlay dynlist > dynlist-attrset labeledURIObject labeledURI > > --- > Second - I make cn=test,ou=Projects,dc=example,dc=com with: > > dn: cn=test,ou=Projects,dc=example,dc=com > gidNumber: 6789 > objectClass: posixGroup > objectClass: top > objectClass: labeledURIObject > labeledURI: > ldap:///cn=testgroup,ou=Groups,dc=example,dc=com?memberUid?sub?(objectClass=posixGroup) > memberUid: user1 (dynamic) > memberUid: user2 (dynamic) > > in cn=testgroup,ou=Groups,dc=example,dc=com i have memberuid: user1 and > memberUid: user2 > > --- > Third - when i made getent group test I have: > > test:*:6789:user1,user2 > > But when i try id user1 i didn't see this group :( > > And next i set chmod 770 dir and chown root.test dir and try access to > this dir. > > But of course it is not possible because the user is not in this group > (that said "id"). > > Somebody know the resolve? Because i spent a lot of hours and i can't find > the problem.
slapo-dynlist(5) only allows direct membership, not reverse. Read the man page: when an entry with a specific objectClass is being returned, URL expansion may take place. So if you *search* with a dynamic member in the filter, nothing is returned. What you are trying to accomplish cannot be obtained using slapo-dynlist(5). You probably need to use slapo-autogroup (in contrib/slapd-modules/). p.
