[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: About ACL

> In the original example there are users at multiple 
depths in the ou=
> hierarchy. To get all that in a single rule, try this:
>   access to dn=".+,ou=(.+),o=XYZ"
> 	by dn="cn=[^,]+,ou=$1,o=XYZ

Hello, what I would like to do is quite different. 
Basically, the problem is the following:
"Given a user defined in a subtree, allow access (read-
only) only to the subtree under which the user is attached"
Suppose the user is
he can access only the subtree
Being the tree modified by an application, the type of the 
tree nodes may vary (i.e. a(N) can be an ou or something 

I don't know if it's possible to express this relation with 
the acl semantics
access to <what>
by <who> <policy>
because I have to define <who> as function of <what>, while 
the relation above is inverted.
The inverted relation would be
given a node
allow read access (if existing) to

cn=([^,]+),a(1)=v(1) or
cn=([^,]+),a(2)=v(2),a(1)=v(1) or
cn=([^,]+),a(3)=v(3),a(2)=v(2),a(1)=v(1) or

Anyway, it sounds me very difficult to implement in a 
single RE.

Thanks for your help,