Hi again,
Have a subtree like this:
ou=users cn=me ou=data ou=data1 cn=fact1 cn=fact2, owner=cn=me,ou=users ou=data2 cn=fact3 cn=fact4
So this time, some child elements of a dataX-subtree are "owned" by certain users. What I want: when a user (cn=me) traverses the LDAP tree, (s)he should only see the dataX-subtrees with at least one child owned by this user. For the example above, the user cn=me should get read access to "ou=data1" and to "cn=fact2,ou=data1", but he should NOT get read access to ou=data2 and its children.
Specifying the access to the "cn=factX" entries is already solved, now the only problem is to deny access to some of the "ou=dataX" subtrees:
My current idea is something like this:
access to dn.regex="(ou=[^,]+,ou=data)" by set.expand="([ldap://127.0.0.1?base=$1?scope=sub]/owner) & user"
which should find all entries in a dataX subtree, collect their owners and "compare" them with the current user.
But this does not look "nice" to me because of the additional required LDAP search. Is there a more straightforward solution for this?
If not: is this search operation really EXECUTED? Which bind DN is used to execute the search? The "current" one? I guess, to find the search results for the LDAP query all access rules for the current user apply?
Thanks and regards -stefan-