Re: ACL on new value for two attributes

[manu@netbsd.org (Emmanuel Dreyfus)]

Replying to myself:

Reading latest code from git, I can tell that there is no way to craft
an ACL using val for multiple attributes. Such a concept is difficult to
specify anyway: if I imagine something like this:
access to attrs=foo val.regex="^(.*)$" attrs=bar val.regex="^(.*)$"

We can immagine we find foo's new value in ${v1} and bar's new value in
${v2}, but ${v0} remains difficult to define. And then there is the
problem of how to handle multivalued attributes.

I came to the conclusion that this is not The Right Way of doing it,
hence I had another idea: I could use an overlay that creates dynamic
attributes based on other attribute's values. Some kind of buz =
printf("%s-%s", foo, bar) functionnality and use val.regex against this
buz dynamic attribute.

Questions
1) Does it already exist? Perhaps slapo-rwm is able to do something like
this? 
2) If not then I could implement it, but how feasible is it? Are
overlays able to tweak an add or modify request, to add an attribute
before it hits the ACL layer? 


Emmanuel Dreyfus <manu@netbsd.org> wrote:

> In ACL, the attrs=foo val.regex="^(.*)$" construct allows filtering on
> the new value for an attribute.
> 
> Using sets in the who clauses this new value can be matched as ${v0} 
> against current attributes values. But what about if we want to match
> against another new attribute value? I currently run 2.4.33, and there
> is no way to have multiple attrs=foo val.regex="^(.*)$" statements in the
> what clause.  Has this changed in later releases? Or is there another way
> of doing it?


-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org