Re: ACL syntax with wildcards

[Aaron Richton <richton@nbcs.rutgers.edu>]

On Tue, 27 Mar 2012, Nick Milas wrote:

> On 26/2/2012 1:22 ??, Nick Milas wrote:
>
> > It seems to me that it would require to use regex *in a filter* and then 
> > group.expand based on the results. But is this possible? Any alternatives? 
>
> Hmm, no one?
>
> Let me re-phrase: Can we express the following three statements using ONE ACL 
> statement? I haven't been able to find a solution.
>
> access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept1)" 
> attrs="attr1,attr2"
>        by group.exact="cn=dept1Admins,ou=Groups,dc=example,dc=com" write
>
> access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept2)" 
> attrs="attr1,attr2"
>        by group.exact="cn=dept2Admins,ou=Groups,dc=example,dc=com" write
>
> access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept3)" 
> attrs="attr1,attr2"
>        by group.exact="cn=dept3Admins,ou=Groups,dc=example,dc=com" write
>
> Or any alternative suggestions to achieve the same result?
>
> Thanks,
> Nick

I'm being super-dangerous by writing this on my way out the door, but with 
that caveat, I believe:

access to dn.subtree=<what> filter="(ou=dept1)" by group="cn=dept1,ou=Administrators,ou=Groups,dc=example,dc=com" read

is plausible with a set.expand. You might not even use the filter, just 
the set alone to check this/ou versus the expanded group. Basically I'm 
not certain if mapping "dept1" <> "dept1Admins" is achievable, hence the 
direct "dept1" <> "dept1" treatment. You might be able to use a '+' to add 
the "Admins" static string from your question but I'm not sure.