[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: filter acl regex

> Hi.
> I am looking for help with an ACL.  What I would like to do, is determine
> the name of a group that I will be searching for members of, based on an
> attribute in the username.
> For example, suppose you have the following user entries, that contain an
> attribute that we will call groupname.
> dn: cn=user1,ou=users,o=mydomain.com
> groupname: group1
> dn: cn=user2,ou=users,o=mydomain.com
> groupname: group2
> Then, I have some groups.
> dn: cn=group1,ou=users,o=mydomain.com
> member: cn=user1,ou=users,o=mydomain.com
> dn: cn=group2,ou=groups,o=mydomain.com
> member: cn=user2,ou=users,o=mydomain.com
> Is there a way to use the value of a filter in the what section, to be
> re-used in the who section of the ACL?
> For example:
> access to dn.children="ou=users,o=mydomain.com" filter=(groupname=(.+))
> 	by group.expand="cn=$1,ou=groups,o=mydomain.com" write
> Or any other way to do something similar?  Basically, I want to capture
> the value of an attribute in the user and use that as part of the group to
> search for members of.
> Is that possible?

To my knowledge, no, and I don't see it as a reasonable approach.  The
only thing that gets close to what you mean seems to be "sets", but they
essentially lack arbitrary string concatenation capabilities.

If your entry stored the group's DN instead of its common name, things
would have been quite straightforward.  This is the "memberOf" approach,
something like

access to dn.children="ou=users,o=mydomain.com"
	by set="user & (this/memberOf)/member" write

would do the trick.  To build the DN of the group out of its common name
requires something like a '+' operator that causes two pieces of string to
concatenate, so that one can write a rule of the kind

access to dn.children="ou=users,o=mydomain.com"
	by set="user & ([cn=]+this/groupname+[,ou=groups,o=mydomain.com])/member"

I was planning to develop something like that, so I suggest you file an
ITS to request and keep track its implementation.


Pierangelo Masarati

    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497