[Exist-development] LDAP Groups

[Dulip W. <wit...@as...>]

Hi Adam,
I have a  issue with the LDAP groups for the current trunk (2013.03.06)

When I create user,  I have configured the security.xml so that a ldap 
user is created as a  group user belonging  to "biblio.users"
So tha entry looks like this.
So I have the configuration like this.

  <group name="domain us...@ad..."/>
   <group name="biblio.users"/>


But when I now run  script  to create a user collection in a folder, 
which belong to biblio.users group, the LDAP user does not have the 
rights to create.

xquery version "3.0";
let $user := "dul...@ad..."
return
sm:get-permissions(xs:anyURI("/db/resources/users")),
xmldb:create-collection("/resources/users", 
"dul...@ad..."),
sm:chgrp(xs:anyURI("/resources/users/dul...@ad..."), 
"biblio.users"),
sm:get-permissions(xs:anyURI("/resources/users/dul...@ad...")),

exerr:ERROR Permission to modify permissions is denied for user 
'dul...@ad...' on 
'/resources/users/dul...@ad...': You do not have 
appropriate access rights to modify permissions on this object [at line 
9, column 1]

I earlier assumed, that if I am in both biblio.users and domain 
us...@ad... , that I should be able to change the 
permissions, and it worked.  Am I doing something wrong against the 
newer security model  ?


If I have only   this <group name="biblio.users"/> the script runs.


<sm:permission xmlns:sm="http://exist-db.org/xquery/securitymanager" 
owner="editor" group="biblio.users" mode="rwxrwxrwx">
<sm:acl entries="0"/>
</sm:permission>
/db/resources/users/dul...@ad...
<sm:permission xmlns:sm="http://exist-db.org/xquery/securitymanager" 
owner="dul...@ad..." group="biblio.users" 
mode="rwxr-xr-x">
<sm:acl entries="0"/>
</sm:permission>