Hello,
I have converted from static (slapd.conf) to dynamic (cn=config)
configuration using auto file conversion.
I would like to ask a couple of questions regarding ACL conversion.
Here follows one of the rules we have in initial form (a), and after
conversion (b):
(a)
access to
dn.subtree="dc=xxx.xxx.xxx.in-addr.arpa,ou=dns1,dc=example,dc=gr"
attrs="children,entry"
by group.exact="cn=TechAdmins,ou=Groups,dc=example,dc=gr" write
by group.exact="cn=Dept1Admins,ou=Groups,dc=example,dc=gr" read
by group.exact="cn=Dept2Admins,ou=Groups,dc=example,dc=gr" write
by group.exact="cn=Dept3Admins,ou=Groups,dc=example,dc=gr" read
by group.exact="cn=Dept4Admins,ou=Groups,dc=example,dc=gr" read
by group.exact="cn=Dept5Admins,ou=Groups,dc=example,dc=gr" read
by group.exact="cn=GuestAdmins,ou=Groups,dc=example,dc=gr" read
by dn.exact="uid=dnsauthusr,ou=System,dc=example,dc=gr" read
by * break
(b) as an olcAccess attribute value:
{10}to
dn.subtree="dc=xxx.xxx.xxx.in-addr.arpa,ou=dns1,dc=example,dc=gr"
attrs=children,entry by
group/groupOfNames/member.exact="cn=techadmins,ou=groups,dc=example,dc=g
r" write by
group/groupOfNames/member.exact="cn=Dept1Admins,ou=groups,dc=example,dc=
gr" read by
group/groupOfNames/member.exact="cn=Dept2Admins,ou=groups,dc=example,dc=
gr" write by
group/groupOfNames/member.exact="cn=Dept3Admins,ou=groups,dc=example,dc=
gr" read by
group/groupOfNames/member.exact="cn=Dept4Admins,ou=groups,dc=example,dc=
gr" read by
group/groupOfNames/member.exact="cn=Dept5Admins,ou=groups,dc=example,dc=
gr" read by
group/groupOfNames/member.exact="cn=guestadmins,ou=groups,dc=example,dc=
gr" read by dn.base="uid=dnsauthusr,ou=system,dc=example,dc=gr" read
by * +0 break
Question 1.
Why "group.exact" was changed to "group/groupOfNames/member.exact" ?
Yes, groups are defined as entries of groupOfNames objectClass, with
members defined as values of attribute "member". But should it be like
that? Should we change (manually) "group/groupOfNames/member.exact"
back to "group.exact" again or not (and why)?