Joe Friedeggs wrote: > >> On 26/2/2012 1:22 ÎÎ, Nick Milas wrote: >> >> > It seems to me that it would require to use regex *in a filter* and >> > then group.expand based on the results. But is this possible? Any >> > alternatives? >> >> Hmm, no one? >> >> Let me re-phrase: Can we express the following three statements using >> ONE ACL statement? I haven't been able to find a solution. >> >> access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept1)" >> attrs="attr1,attr2" >> by group.exact="cn=dept1Admins,ou=Groups,dc=example,dc=com" write >> >> access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept2)" >> attrs="attr1,attr2" >> by group.exact="cn=dept2Admins,ou=Groups,dc=example,dc=com" write >> >> access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept3)" >> attrs="attr1,attr2" >> by group.exact="cn=dept3Admins,ou=Groups,dc=example,dc=com" write >> >> Or any alternative suggestions to achieve the same result? > > Assuming these org units are under ou=people, try this: > > access to dn.regex="ou=([^,]+),ou=people,dc=example,dc=com" > attrs="attr1,attr2" > by dn.regex="cn=$1Admins,ou=Groups,dc=example,dc=com" write From what the original poster wrote he has just ou-attributes in person entries, not separate DIT containers. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature