RE: About ACL

["ludovico.basili@poste.it"<ludovico.basili@poste.it>]

> In the original example there are users at multiple 
depths in the ou=
> hierarchy. To get all that in a single rule, try this:
> 
>   access to dn=".+,ou=(.+),o=XYZ"
> 	by dn="cn=[^,]+,ou=$1,o=XYZ
> 

Hello, what I would like to do is quite different. 
Basically, the problem is the following:
"Given a user defined in a subtree, allow access (read-
only) only to the subtree under which the user is attached"
Suppose the user is
cn=someone,a(N)=v(N),a(N-1)=v(N-1),a(N-2)=v(N-2),...A(1)=v
(1)
he can access only the subtree
 .+,a(N)=v(N),a(N-1)=v(N-1),a(N-2)=v(N-2),...A(1)=v(1)
Being the tree modified by an application, the type of the 
tree nodes may vary (i.e. a(N) can be an ou or something 
else).

I don't know if it's possible to express this relation with 
the acl semantics
access to <what>
by <who> <policy>
because I have to define <who> as function of <what>, while 
the relation above is inverted.
The inverted relation would be
given a node
a(N)=v(N),a(N-1)=v(N-1),a(N-2)=v(N-2),...,a(1)=v(1)
allow read access (if existing) to

cn=([^,]+),a(1)=v(1) or
cn=([^,]+),a(2)=v(2),a(1)=v(1) or
cn=([^,]+),a(3)=v(3),a(2)=v(2),a(1)=v(1) or
....
cn=([^,]+),a(N)=v(N),a(N-1)=v(N-1),...,a(1)=v(1)

Anyway, it sounds me very difficult to implement in a 
single RE.


 
Thanks for your help,
L.