Hello
sets ACL are definitvely hard to work with. But perhaps my schema is just plain wrong. Any hint (how to build the ACL or how to redesign the schema) is welcome. Here is the problem:
A) The schema I have three clases:, ou, person, mailAddress
1) persons are children of ou. They have three interesting attribute: ou: the ou they belong to mail: the mail addresses they receive mail from (multivalued) uid: the person's acount login
A person's DN is like uid=jdoe,ou=sales,dc=example,dc=net
2) mailAddress holds a bunch of parameters about a mail address. It has a mail attribute. A mailAddress DN is like mail=John.Doe@example.net,dc=example,dc=net
mailAddress are not children of ou, since several persons of different ou may receive mail through the same address.
3) ou have two interesting attrbiutes: ou: the unit name manager: DN of persons acting as managers (multivalued) An ou DN is like ou=sales,dc=example,dc=net
B) The goals
1) a person must be able to modify a mailAddress when it receives mail from this address. This is done by an ACL clause like this (obtained from this mailing list) by set.exact="this/mail & user/mail" write It works very well. That goal is fullfilled.
2) a user listed as a manager for an ou must be able to modify the persons within the ou. I've came to the following:
access to dn.regex="uid=.+,ou=(.+),dc=example,dc=net$" by set.expand="[ou=$1,dc=example,dc=net]/manager* & user" write
That works, though it seems to be very poor on the performance front. I tried something more simplier, such as: by set.exact="this/ou/manager & user" or that way: by set.exact="(this/ou+[,dc=example,dc=net])/manager & user" but it does not work, I have no idea why. I'm very curious to learn what's wrong here.
3) The trickiest part, for which I have no solution: a user listed as a manager for an ou must be able to modify the mailAddress that a user he can modify could modify.
I can try to rephrase this a bit better. If I have the following (mailAddress, person, ou) triplet dn: mail=W,dc=example,dc=net
dn: uid=X,ou=Y,dc=example.dc=net mail: W
dn: ou=Y,dc=example,dc=net manager: Z
I want user Z to be able to modify mailAddress W
Here is an attempt that does not work by set.exact=" ([uid=*,ou=] + ([manager=] + user)/ou*) + [,dc=example,dc=net])/mail & this/mail" write
I also attempted various tricks with ldap:/// lookups, but no luck.