[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACI/ACL based on entry attribute values

Anyone? Opinion? Advice on how to implement similar
functionality with current ACL/ACI mechs?

<who> ::= ....
        attrpick <attrname>=<regexp with substrings>
        userattrmatch <attrname>=<regexp with substrings>

<what> ::= ....
attrpick <attrname>=<regexp with substrings>
targetattrmatch <attrname>=<regexp with substrings>
What we have done, is crossmatched attribute values (including but
not limited to DN) between the user and the target. This will allow for all
cases i described, yet would not be too hard to process (we don't get multiple
entry results to search through, just a lot of string matching:)


access to targetattrmatch dn=".*$1$"
   by attrpick dn="(.*)" write

I just let anyone above any entry have write access to
it's descendants.

Even more powerful would be a mix of this with LDAP
filters (such as proposed in sets?) to be able to say something like
this (sorry. no more BNF:)

access to targetattrmatch dn=".*$1$"
   by filterpick (&(dn="(.*)")(objectClass="specialOrgManager")