[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL on new value for two attributes

To: Michael Ströder <michael@stroeder.com>
Subject: Re: ACL on new value for two attributes
From: Emmanuel Dreyfus <manu@netbsd.org>
Date: Tue, 9 Dec 2014 14:57:23 +0000
Cc: Emmanuel Dreyfus <manu@netbsd.org>, openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <548708E9.5030109@stroeder.com>
References: <1lwcddy.uxm0741po8cjgM%manu@netbsd.org> <548708E9.5030109@stroeder.com>
User-agent: Mutt/1.5.23 (2014-03-12)

On Tue, Dec 09, 2014 at 03:36:25PM +0100, Michael Ströder wrote:
> Frankly I don't understand in detail what you want to achieve.

Let me try to rephrase.

Such ACL construct let me match new foo's values as ${v1} in to rules:
   access to attrs=foo val="^(.*)$"

Now my problem is that I would want to do this with two attributes.
I came to the conclusion that a solution would be to have a dynamic 
attribute automatically created from the two attributes. Let us say
that dynattr is created like printf("%s-%s", foo, bar), I can do something
like this and have foo new value in ${v1} and bar new value in ${v2}
   access to attrs=dynattr val="^(.*)-(.*)$"

I could write an overlay to  have This dynamic attribute generated, but I 
wonder if it can be done with existing tools.

> But first of all:
> Did you set "add_content_acl on" in your slapd.conf (or similar in back-config)?

Yes. IIRC I contributed the patch for this option :-)

-- 
Emmanuel Dreyfus
manu@netbsd.org

Follow-Ups:
- Re: ACL on new value for two attributes
  - From: Michael Ströder <michael@stroeder.com>

References:
- Re: ACL on new value for two attributes
  - From: manu@netbsd.org (Emmanuel Dreyfus)
- Re: ACL on new value for two attributes
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: Q: roles for authentication
Next by Date: Re: Problems starting an instance of openLDAP
Index(es):
- Chronological
- Thread