[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL syntax with wildcards

On Tue, 27 Mar 2012, Nick Milas wrote:

On 26/2/2012 1:22 ??, Nick Milas wrote:

It seems to me that it would require to use regex *in a filter* and then group.expand based on the results. But is this possible? Any alternatives?

Hmm, no one?

Let me re-phrase: Can we express the following three statements using ONE ACL statement? I haven't been able to find a solution.

access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept1)" attrs="attr1,attr2"
       by group.exact="cn=dept1Admins,ou=Groups,dc=example,dc=com" write

access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept2)" attrs="attr1,attr2"
       by group.exact="cn=dept2Admins,ou=Groups,dc=example,dc=com" write

access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept3)" attrs="attr1,attr2"
       by group.exact="cn=dept3Admins,ou=Groups,dc=example,dc=com" write

Or any alternative suggestions to achieve the same result?


I'm being super-dangerous by writing this on my way out the door, but with that caveat, I believe:

access to dn.subtree=<what> filter="(ou=dept1)" by group="cn=dept1,ou=Administrators,ou=Groups,dc=example,dc=com" read

is plausible with a set.expand. You might not even use the filter, just the set alone to check this/ou versus the expanded group. Basically I'm not certain if mapping "dept1" <> "dept1Admins" is achievable, hence the direct "dept1" <> "dept1" treatment. You might be able to use a '+' to add the "Admins" static string from your question but I'm not sure.