On 01/31/2013 09:17 AM, Picture Book wrote: 
After using dynamic group in ACL, I see the following messages in errors log

1
ldapsearch -h localhost -p 389 -D "uid=ttest,ou=people,ou=Test,dc=example,dc=com" -w sp -b "ou=people,ou=Test,dc=example,dc=com"

[31/Jan/2013:10:53:36 -0500] NSACLPlugin - acllas__client_match_URL: url [ldap:///ou=special,ou=test,dc=example,dc=com??one?(&(objectclass=inetorgperson)(cn=*))] scope is onelevel but dn [ou=special,ou=test,dc=example,dc=com] is not a direct child of [ou=people,ou=test,dc=example,dc=com]

2. 
ldapsearch -h localhost -p 389 -D "uid=test11,ou=Test,dc=example,dc=com" -w sp -b "ou=people,ou=Test,dc=example,dc=com"

[31/Jan/2013:10:58:12 -0500] NSACLPlugin - acllas__client_match_URL: url [ldap:///ou=special,ou=test,dc=example,dc=com??one?(&(objectclass=inetorgperson)(cn=*))] scope is onelevel but dn [ou=special,ou=test,dc=example,dc=com] is not a direct child of [ou=test,dc=example,dc=com]

repeat search 1 & 2, acllas__client_match_URL error message doen't repeat.

3.
ldapsearch -h localhost -p 389 -D "uid=aclp,ou=special,ou=Test,dc=example,dc=com" -w sp -b "ou=people,ou=Test,dc=example,dc=com"

no message in errors log

What platform?  What 389-ds-base version?
Not sure exactly what you're trying to do.


This is the dynamic group:

dn: cn=all special users,ou=special,ou=Test,dc=example,dc=com
objectClass: groupofurls
objectClass: groupofuniquenames
objectClass: top
cn: all special users
memberURL: ldap:///ou=special,ou=test,dc=example,dc=com??one?(&(objectclass=
 inetorgperson)(cn=*))

This is the ACL 
dn: ou=people,ou=Test,dc=example,dc=com
objectClass: organizationalunit
objectClass: top
ou: people
aci: (targetattr = "*") (version 3.0;acl "special users";allow (all)(groupdn
  = "ldap:///cn=all special users,ou=special,ou=Test,dc=example,dc=com");)
createTimestamp: 20130131152507Z

The following is the ldif export of the test setup

version: 1
dn: ou=Test,dc=example,dc=com
objectClass: organizationalunit
objectClass: top
ou: Test
createTimestamp: 20130123175104Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
 ot
entrydn: ou=test,dc=example,dc=com
entryid: 10
hasSubordinates: TRUE
modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
 oot
modifyTimestamp: 20130123175104Z
nsUniqueId: 6428fe79-658511e2-9283c9b9-f4c01566
numSubordinates: 5
parentid: 1
subschemaSubentry: cn=schema
dn: cn=mygroup,ou=Test,dc=example,dc=com
objectClass: groupofuniquenames
objectClass: top
cn: mygroup
uniqueMember: uid=test11,ou=test,dc=example,dc=com
createTimestamp: 20130123175116Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
 ot
entrydn: cn=mygroup,ou=test,dc=example,dc=com
entryid: 11
hasSubordinates: FALSE
modifiersName: cn=referential integrity postoperation,cn=plugins,cn=config
modifyTimestamp: 20130123182725Z
nsUniqueId: 6428fe7a-658511e2-9283c9b9-f4c01566
numSubordinates: 0
parentid: 10
subschemaSubentry: cn=schema
dn: uid=test11,ou=Test,dc=example,dc=com
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: test 1
sn: 1
givenName: test
uid: test11
userPassword:: e1NTSEF9QUNkS1NiOFVkOFJQSy9TeklGN2pCN2trblQvYWpkZjBwZy84c0E9P
 Q==
createTimestamp: 20130123175131Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
 ot
entrydn: uid=test11,ou=test,dc=example,dc=com
entryid: 12
hasSubordinates: FALSE
modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
 oot
modifyTimestamp: 20130131155727Z
nsUniqueId: 6428fe7b-658511e2-9283c9b9-f4c01566
numSubordinates: 0
parentid: 10
passwordGraceUserTime: 0
subschemaSubentry: cn=schema
dn: ou=people,ou=Test,dc=example,dc=com
objectClass: organizationalunit
objectClass: top
ou: people
aci: (targetattr = "*") (version 3.0;acl "special users";allow (all)(groupdn
  = "ldap:///cn=all special users,ou=special,ou=Test,dc=example,dc=com");)
createTimestamp: 20130131152507Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
 ot
entrydn: ou=people,ou=test,dc=example,dc=com
entryid: 13
hasSubordinates: TRUE
modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
 oot
modifyTimestamp: 20130131155032Z
nsUniqueId: 55ac9901-6bba11e2-9283c9b9-f4c01566
numSubordinates: 1
parentid: 10
subschemaSubentry: cn=schema
dn: ou=groups,ou=Test,dc=example,dc=com
objectClass: organizationalunit
objectClass: top
ou: groups
createTimestamp: 20130131152521Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
 ot
entrydn: ou=groups,ou=test,dc=example,dc=com
entryid: 14
hasSubordinates: FALSE
modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
 oot
modifyTimestamp: 20130131152521Z
nsUniqueId: 55ac9902-6bba11e2-9283c9b9-f4c01566
numSubordinates: 0
parentid: 10
subschemaSubentry: cn=schema
dn: ou=special,ou=Test,dc=example,dc=com
objectClass: organizationalunit
objectClass: top
ou: special
createTimestamp: 20130131152543Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
 ot
entrydn: ou=special,ou=test,dc=example,dc=com
entryid: 15
hasSubordinates: TRUE
modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
 oot
modifyTimestamp: 20130131152543Z
nsUniqueId: 796fdf01-6bba11e2-9283c9b9-f4c01566
numSubordinates: 2
parentid: 10
subschemaSubentry: cn=schema
dn: uid=aclp,ou=special,ou=Test,dc=example,dc=com
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: acl problem
sn: problem
givenName: acl
uid: aclp
userPassword:: e1NTSEF9dE1MR0F6bzhjcDJMb2JTN2FoMkZTcnE1RS9PTXg2S0FEUEtjMnc9P
 Q==
createTimestamp: 20130131152618Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
 ot
entrydn: uid=aclp,ou=special,ou=test,dc=example,dc=com
entryid: 16
hasSubordinates: FALSE
modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
 oot
modifyTimestamp: 20130131152854Z
nsUniqueId: 796fdf02-6bba11e2-9283c9b9-f4c01566
numSubordinates: 0
parentid: 15
passwordGraceUserTime: 0
subschemaSubentry: cn=schema
dn: cn=all special users,ou=special,ou=Test,dc=example,dc=com
objectClass: groupofurls
objectClass: groupofuniquenames
objectClass: top
cn: all special users
memberURL: ldap:///ou=special,ou=test,dc=example,dc=com??one?(&(objectclass=
 inetorgperson)(cn=*))
createTimestamp: 20130131152806Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
 ot
entrydn: cn=all special users,ou=special,ou=test,dc=example,dc=com
entryid: 17
hasSubordinates: FALSE
modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
 oot
modifyTimestamp: 20130131155311Z
nsUniqueId: c0f66b01-6bba11e2-9283c9b9-f4c01566
numSubordinates: 0
parentid: 15
subschemaSubentry: cn=schema
dn: uid=ttest,ou=people,ou=Test,dc=example,dc=com
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: test test
sn: test
givenName: test
uid: ttest
userPassword:: e1NTSEF9VktyMVRzbHgxbVRJbGJJQlRnTXlRamVmREpHVE1nQk8yNnNucVE9P
 Q==
createTimestamp: 20130131152911Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
 ot
entrydn: uid=ttest,ou=people,ou=test,dc=example,dc=com
entryid: 18
hasSubordinates: FALSE
modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
 oot
modifyTimestamp: 20130131154252Z
nsUniqueId: e4b9b101-6bba11e2-9283c9b9-f4c01566
numSubordinates: 0
parentid: 13
passwordGraceUserTime: 0
subschemaSubentry: cn=schema 		 	   		  


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users