restricting access *to* entries by a group member

[Elan Ruusamäe <glen@delfi.ee>]

hi

the goal is to make some users hidden from part of the ldap tree from Apache,
as Apache mod_ldap requires only one entry to be returned for
anonymous search it performs.
there can be duplicates in the same ldap directory, like, for example
there's another uid=glen present

the tree looks like this:

+- dc=example,dc=net
   +- cn=Manager
   +- ou=People
      +- uid=glen
      +- ou=Basement
         +- uid=glen
   +- ou=Groups
      +- cn=Hidden Users
         +- member: uid=glen,ou=People,dc=example,dc=net

in what ou=Basement,ou=People,dc=example,dc=net is filled by "database ldap",
and it causes duplicate uid entries in the directory (unavoidable)

so far i have just static acl that is working:

access to dn.regex="uid=(glen|somebody-else),ou=People,dc=delfi,dc=net"
    attrs=uid
    by anonymous =rcxd

it would be better if that can be done by dynamic group lookup via acl.
as i see it, there shoould be acl stating if access to
uid=.+,ou=People,dc=example,dc=net is attempted,
it is checked first that it is not "member" of cn=Hidden
Users,ou=Groups,dc=example,dc=net
and if it's member, access to entry is denied. however i'm unable to
complete such acl rule

i have read manual, and tried to experiment, but i can't make up such
dynamic configuration. any help from the list?


-- 
glen