[Date Prev][Date Next] [Chronological] [Thread] [Top]

```> In the original example there are users at multiple
depths in the ou=
> hierarchy. To get all that in a single rule, try this:
>
> 	by dn="cn=[^,]+,ou=\$1,o=XYZ
>

Hello, what I would like to do is quite different.
Basically, the problem is the following:
"Given a user defined in a subtree, allow access (read-
only) only to the subtree under which the user is attached"
Suppose the user is
cn=someone,a(N)=v(N),a(N-1)=v(N-1),a(N-2)=v(N-2),...A(1)=v
(1)
he can access only the subtree
.+,a(N)=v(N),a(N-1)=v(N-1),a(N-2)=v(N-2),...A(1)=v(1)
Being the tree modified by an application, the type of the
tree nodes may vary (i.e. a(N) can be an ou or something
else).

I don't know if it's possible to express this relation with
the acl semantics
by <who> <policy>
because I have to define <who> as function of <what>, while
the relation above is inverted.
The inverted relation would be
given a node
a(N)=v(N),a(N-1)=v(N-1),a(N-2)=v(N-2),...,a(1)=v(1)
allow read access (if existing) to

cn=([^,]+),a(1)=v(1) or
cn=([^,]+),a(2)=v(2),a(1)=v(1) or
cn=([^,]+),a(3)=v(3),a(2)=v(2),a(1)=v(1) or
....
cn=([^,]+),a(N)=v(N),a(N-1)=v(N-1),...,a(1)=v(1)

Anyway, it sounds me very difficult to implement in a
single RE.

L.

```