I'm trying to see if/how the following access controls could be written:
1. Allow * to read attributes (name, email, phonenumber) in entries in the "cn=people,dc=uta,dc=edu" subtree *IF* attribute viewableAttributes=email.
(I can understand how to do this for the most part except for the *IF* condition).
Here's a rule I wrote yesterday:
access to dn.subtree="ou=Users,dc=wfu,dc=edu" attr=entry,wfuIsPublic,objectClass,uid filter=(wfuIsPublic=Y) by * read
2. Allows write access to users who have the attribute userPrivs=admin.
You may want to create an Admin group... at which point you can say:
access to dn.subtree="whatever" by group="cn=Admin,dc=group,dc=wfu,dc=edu" write by * break
For others: does the "group" specification used here respect "memberOf"?
HTH, John -- John Borwick Systems Administrator Wake Forest University | web http://www.wfu.edu/~borwicjh Winston-Salem, NC, USA | GPG key ID 7F1F051B
Description: OpenPGP digital signature