<html>
  <head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    On 01/31/2013 09:17 AM, Picture Book wrote:
    <blockquote cite="mid:COL002-W818C4C873F8D0094BD5410AD1D0@phx.gbl"
      type="cite">
      <pre wrap="">After using dynamic group in ACL, I see the following messages in errors log

1
ldapsearch -h localhost -p 389 -D "uid=ttest,ou=people,ou=Test,dc=example,dc=com" -w sp -b "ou=people,ou=Test,dc=example,dc=com"

[31/Jan/2013:10:53:36 -0500] NSACLPlugin - acllas__client_match_URL: url [<a class="moz-txt-link-freetext" href="ldap:///ou=special,ou=test,dc=example,dc=com??one?(&amp;(objectclass=inetorgperson)(cn=*))">ldap:///ou=special,ou=test,dc=example,dc=com??one?(&amp;(objectclass=inetorgperson)(cn=*))</a>] scope is onelevel but dn [ou=special,ou=test,dc=example,dc=com] is not a direct child of [ou=people,ou=test,dc=example,dc=com]

2. 
ldapsearch -h localhost -p 389 -D "uid=test11,ou=Test,dc=example,dc=com" -w sp -b "ou=people,ou=Test,dc=example,dc=com"

[31/Jan/2013:10:58:12 -0500] NSACLPlugin - acllas__client_match_URL: url [<a class="moz-txt-link-freetext" href="ldap:///ou=special,ou=test,dc=example,dc=com??one?(&amp;(objectclass=inetorgperson)(cn=*))">ldap:///ou=special,ou=test,dc=example,dc=com??one?(&amp;(objectclass=inetorgperson)(cn=*))</a>] scope is onelevel but dn [ou=special,ou=test,dc=example,dc=com] is not a direct child of [ou=test,dc=example,dc=com]

repeat search 1 &amp; 2, acllas__client_match_URL error message doen't repeat.

3.
ldapsearch -h localhost -p 389 -D "uid=aclp,ou=special,ou=Test,dc=example,dc=com" -w sp -b "ou=people,ou=Test,dc=example,dc=com"

no message in errors log</pre>
    </blockquote>
    <br>
    What platform?  What 389-ds-base version?<br>
    Not sure exactly what you're trying to do.<br>
    <br>
    <blockquote cite="mid:COL002-W818C4C873F8D0094BD5410AD1D0@phx.gbl"
      type="cite">
      <pre wrap="">

This is the dynamic group:

dn: cn=all special users,ou=special,ou=Test,dc=example,dc=com
objectClass: groupofurls
objectClass: groupofuniquenames
objectClass: top
cn: all special users
memberURL: <a class="moz-txt-link-freetext" href="ldap:///ou=special,ou=test,dc=example,dc=com??one?(&amp;(objectclass=">ldap:///ou=special,ou=test,dc=example,dc=com??one?(&amp;(objectclass=</a>
 inetorgperson)(cn=*))

This is the ACL 
dn: ou=people,ou=Test,dc=example,dc=com
objectClass: organizationalunit
objectClass: top
ou: people
aci: (targetattr = "*") (version 3.0;acl "special users";allow (all)(groupdn
  = <a class="moz-txt-link-rfc2396E" href="ldap:///cn=allspecialusers,ou=special,ou=Test,dc=example,dc=com">"ldap:///cn=all special users,ou=special,ou=Test,dc=example,dc=com"</a>);)
createTimestamp: 20130131152507Z

The following is the ldif export of the test setup

version: 1
dn: ou=Test,dc=example,dc=com
objectClass: organizationalunit
objectClass: top
ou: Test
createTimestamp: 20130123175104Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
 ot
entrydn: ou=test,dc=example,dc=com
entryid: 10
hasSubordinates: TRUE
modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
 oot
modifyTimestamp: 20130123175104Z
nsUniqueId: 6428fe79-658511e2-9283c9b9-f4c01566
numSubordinates: 5
parentid: 1
subschemaSubentry: cn=schema
dn: cn=mygroup,ou=Test,dc=example,dc=com
objectClass: groupofuniquenames
objectClass: top
cn: mygroup
uniqueMember: uid=test11,ou=test,dc=example,dc=com
createTimestamp: 20130123175116Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
 ot
entrydn: cn=mygroup,ou=test,dc=example,dc=com
entryid: 11
hasSubordinates: FALSE
modifiersName: cn=referential integrity postoperation,cn=plugins,cn=config
modifyTimestamp: 20130123182725Z
nsUniqueId: 6428fe7a-658511e2-9283c9b9-f4c01566
numSubordinates: 0
parentid: 10
subschemaSubentry: cn=schema
dn: uid=test11,ou=Test,dc=example,dc=com
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: test 1
sn: 1
givenName: test
uid: test11
userPassword:: e1NTSEF9QUNkS1NiOFVkOFJQSy9TeklGN2pCN2trblQvYWpkZjBwZy84c0E9P
 Q==
createTimestamp: 20130123175131Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
 ot
entrydn: uid=test11,ou=test,dc=example,dc=com
entryid: 12
hasSubordinates: FALSE
modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
 oot
modifyTimestamp: 20130131155727Z
nsUniqueId: 6428fe7b-658511e2-9283c9b9-f4c01566
numSubordinates: 0
parentid: 10
passwordGraceUserTime: 0
subschemaSubentry: cn=schema
dn: ou=people,ou=Test,dc=example,dc=com
objectClass: organizationalunit
objectClass: top
ou: people
aci: (targetattr = "*") (version 3.0;acl "special users";allow (all)(groupdn
  = <a class="moz-txt-link-rfc2396E" href="ldap:///cn=allspecialusers,ou=special,ou=Test,dc=example,dc=com">"ldap:///cn=all special users,ou=special,ou=Test,dc=example,dc=com"</a>);)
createTimestamp: 20130131152507Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
 ot
entrydn: ou=people,ou=test,dc=example,dc=com
entryid: 13
hasSubordinates: TRUE
modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
 oot
modifyTimestamp: 20130131155032Z
nsUniqueId: 55ac9901-6bba11e2-9283c9b9-f4c01566
numSubordinates: 1
parentid: 10
subschemaSubentry: cn=schema
dn: ou=groups,ou=Test,dc=example,dc=com
objectClass: organizationalunit
objectClass: top
ou: groups
createTimestamp: 20130131152521Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
 ot
entrydn: ou=groups,ou=test,dc=example,dc=com
entryid: 14
hasSubordinates: FALSE
modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
 oot
modifyTimestamp: 20130131152521Z
nsUniqueId: 55ac9902-6bba11e2-9283c9b9-f4c01566
numSubordinates: 0
parentid: 10
subschemaSubentry: cn=schema
dn: ou=special,ou=Test,dc=example,dc=com
objectClass: organizationalunit
objectClass: top
ou: special
createTimestamp: 20130131152543Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
 ot
entrydn: ou=special,ou=test,dc=example,dc=com
entryid: 15
hasSubordinates: TRUE
modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
 oot
modifyTimestamp: 20130131152543Z
nsUniqueId: 796fdf01-6bba11e2-9283c9b9-f4c01566
numSubordinates: 2
parentid: 10
subschemaSubentry: cn=schema
dn: uid=aclp,ou=special,ou=Test,dc=example,dc=com
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: acl problem
sn: problem
givenName: acl
uid: aclp
userPassword:: e1NTSEF9dE1MR0F6bzhjcDJMb2JTN2FoMkZTcnE1RS9PTXg2S0FEUEtjMnc9P
 Q==
createTimestamp: 20130131152618Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
 ot
entrydn: uid=aclp,ou=special,ou=test,dc=example,dc=com
entryid: 16
hasSubordinates: FALSE
modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
 oot
modifyTimestamp: 20130131152854Z
nsUniqueId: 796fdf02-6bba11e2-9283c9b9-f4c01566
numSubordinates: 0
parentid: 15
passwordGraceUserTime: 0
subschemaSubentry: cn=schema
dn: cn=all special users,ou=special,ou=Test,dc=example,dc=com
objectClass: groupofurls
objectClass: groupofuniquenames
objectClass: top
cn: all special users
memberURL: <a class="moz-txt-link-freetext" href="ldap:///ou=special,ou=test,dc=example,dc=com??one?(&amp;(objectclass=">ldap:///ou=special,ou=test,dc=example,dc=com??one?(&amp;(objectclass=</a>
 inetorgperson)(cn=*))
createTimestamp: 20130131152806Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
 ot
entrydn: cn=all special users,ou=special,ou=test,dc=example,dc=com
entryid: 17
hasSubordinates: FALSE
modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
 oot
modifyTimestamp: 20130131155311Z
nsUniqueId: c0f66b01-6bba11e2-9283c9b9-f4c01566
numSubordinates: 0
parentid: 15
subschemaSubentry: cn=schema
dn: uid=ttest,ou=people,ou=Test,dc=example,dc=com
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: test test
sn: test
givenName: test
uid: ttest
userPassword:: e1NTSEF9VktyMVRzbHgxbVRJbGJJQlRnTXlRamVmREpHVE1nQk8yNnNucVE9P
 Q==
createTimestamp: 20130131152911Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
 ot
entrydn: uid=ttest,ou=people,ou=test,dc=example,dc=com
entryid: 18
hasSubordinates: FALSE
modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
 oot
modifyTimestamp: 20130131154252Z
nsUniqueId: e4b9b101-6bba11e2-9283c9b9-f4c01566
numSubordinates: 0
parentid: 13
passwordGraceUserTime: 0
subschemaSubentry: cn=schema                                               </pre>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">--
389 users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
    </blockquote>
    <br>
  </body>
</html>