> On 26/2/2012 1:22 μμ, Nick Milas wrote:
>
> > It seems to me that it would require to use regex *in a filter* and
> > then group.expand based on the results. But is this possible? Any
> > alternatives?
>
> Hmm, no one?
>
> Let me re-phrase: Can we express the following three statements using
> ONE ACL statement? I haven't been able to find a solution.
>
> access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept1)"
> attrs="attr1,attr2"
> by group.exact="cn=dept1Admins,ou=Groups,dc=example,dc=com" write
>
> access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept2)"
> attrs="attr1,attr2"
> by group.exact="cn=dept2Admins,ou=Groups,dc=example,dc=com" write
>
> access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept3)"
> attrs="attr1,attr2"
> by group.exact="cn=dept3Admins,ou=Groups,dc=example,dc=com" write
>
> Or any alternative suggestions to achieve the same result?
>
> Thanks,
> Nick
>

Assuming these org units are under ou=people, try this:

access to dn.regex="ou=([^,]+),ou=people,dc=example,dc=com"
attrs="attr1,attr2"
        by dn.regex="cn=$1Admins,ou=Groups,dc=example,dc=com" write


Joe