Re: ACL on new value for two attributes

[Howard Chu <hyc@symas.com>]

manu@netbsd.org (Emmanuel Dreyfus) wrote:
> Replying to myself:
>
> Reading latest code from git, I can tell that there is no way to craft
> an ACL using val for multiple attributes. Such a concept is difficult to
> specify anyway: if I imagine something like this:
> access to attrs=foo val.regex="^(.*)$" attrs=bar val.regex="^(.*)$"
>
> We can immagine we find foo's new value in ${v1} and bar's new value in
> ${v2}, but ${v0} remains difficult to define. And then there is the
> problem of how to handle multivalued attributes.
>
> I came to the conclusion that this is not The Right Way of doing it,
> hence I had another idea: I could use an overlay that creates dynamic
> attributes based on other attribute's values. Some kind of buz =
> printf("%s-%s", foo, bar) functionnality and use val.regex against this
> buz dynamic attribute.
>
> Questions
> 1) Does it already exist? Perhaps slapo-rwm is able to do something like
> this?

As documented in its manpage, slapo-rwm only rewrites DN-valued attributes.

> 2) If not then I could implement it, but how feasible is it? Are
> overlays able to tweak an add or modify request, to add an attribute
> before it hits the ACL layer?

Sure.
> Emmanuel Dreyfus <manu@netbsd.org> wrote:
>
> > In ACL, the attrs=foo val.regex="^(.*)$" construct allows filtering on
> > the new value for an attribute.
> >
> > Using sets in the who clauses this new value can be matched as ${v0}
> > against current attributes values. But what about if we want to match
> > against another new attribute value? I currently run 2.4.33, and there
> > is no way to have multiple attrs=foo val.regex="^(.*)$" statements in the
> > what clause.  Has this changed in later releases? Or is there another way
> > of doing it?


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/