Wishes for set ACLs

[Hallvard B Furuseth <h.b.furuseth@usit.uio.no>]

I've got a few wishes for set acls.

First, here is a brief explanation of sets for the uninitiated
(hopefully I've got it right):
- 'access ... by set=<set>' evaluates an expression as a set of
  strings, and selects the "by" clause if the result set is not empty.
- 'user' is a 1-element set with the bound DN.
- 'this' is a 1-element set with the DN being accessed.
- [<any text>] is a 1-element set with that text.
- <set>/<attribute> looks up the entries with the DNs in <set>,
  and returns the values of <attribute> in the entries.
- '&' produces the intersection of two sets.
- there is some more, but that's enough to get the idea.
More detail in <http://www.openldap.org/faq/data/cache/1133.html>
and <http://www.openldap.org/faq/data/cache/1134.html>.

Wishes:

1.
It would be nice to have boolean operators on sets.  That allows
e.g. 'members of posixGroup A can access members of posixGroup B':

(user/uid & [cn=A]/memberUid) && (this/uid & [cn=B]/memberUid)

where '&&' would return the empty set if one of the sets are empty, and
either the set [] or the last set otherwise.

or it could be

(user/uid & [cn=A]/memberUid)@bool & (this/uid & [cn=B]/memberUid)@bool

where <set>@bool returns the empty set if <set> is empty and []
otherwise.

Or spell @bool as just @ or ? or whatever, but we'll probably want more
transformations later so maybe it's best to not use up too many special
characters.

2.
An operator would be useful which escaped the members of a set as DNs.
"[cn=] + user/cn + [,o=foo]" is wrong if the cn contains ",".

3.
Maybe an un-escaping operator too, for "self/uid & [$1]" where $1
comes from a regular expression match in the 'access to' clause.


-- 
Hallvard