masarati@aero.polimi.it wrote:
Is it possible to specify the<what> clause in an ACL with a set?No.We have several applications and for each application there's a specific AUXILIARY object class for application-specific user attributes. So for each application I add ACLs like this: access to dn.onelevel="ou=Users,dc=example,dc=org" attrs=@app1User by dn.subtree="cn=app1,ou=Systems,dc=example,dc=org" read by * break Obviously I'd like to have one ACL which references an attribute specifying the auxiliary object class in the app's system entry. Is that possible?I'm not sure I understand your question: is it that you would like to have something like attrs=<attr> with<attr> depending on the contents of the entry, or of another entry resulting from the evaluation of some expression?
Yes, exactly. Preferrably with <attr> being the object class form prefixed with @. The name of the object class should be read from an attribute in the accompanying system user entry (referenced as user in set-syntax).
Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature