[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: filter acl regex

Dusty Doris wrote:

To my knowledge, no, and I don't see it as a reasonable approach.  The
only thing that gets close to what you mean seems to be "sets", but they
essentially lack arbitrary string concatenation capabilities.

If your entry stored the group's DN instead of its common name, things
would have been quite straightforward.  This is the "memberOf" approach,
something like

access to dn.children="ou=users,o=mydomain.com"
by set="user & (this/memberOf)/member" write

That sounds like a good approach.  Sets look pretty interesting.  I've
been reading about them in the FAQs.  Still having trouble grasping it,
but after some more coffee and a few more reads through I hope I'll get
the idea.

I'm not confined to my original approach, so I'll give it a shot with the
memberOf approach.

Note that, as far as I can tell, "memberOf" is an Active Directory operational attribute that is internally maintained to preserve referential integrity within groups and group members. There's no equivalent in standard track schemas, to my knowledge. You'll need to define your own DN-valued attribute, or, for instance, "hijack" something that may do the trick, e.g. the "seeAlso" attribute, which is already allowed by "person" and descendants, or so.

I can file an ITS. I'm still not up to par in understanding sets, so I'll
try to get that figured out first. So I know how to accurately describe
what I am asking for in the ITS.

Well, it's a feature request, so you won't get yelled in any case ;) I'm telling you that feature is not there yet, so it's perfectly acceptable to request it.

Cheers, p.

SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497