the goal is to make some users hidden from part of the ldap tree from Apache,
as Apache mod_ldap requires only one entry to be returned for
anonymous search it performs.
there can be duplicates in the same ldap directory, like, for example
there's another uid=glen present
the tree looks like this:
+- cn=Hidden Users
+- member: uid=glen,ou=People,dc=example,dc=net
in what ou=Basement,ou=People,dc=example,dc=net is filled by "database ldap",
and it causes duplicate uid entries in the directory (unavoidable)
so far i have just static acl that is working:
access to dn.regex="uid=(glen|somebody-else),ou=People,dc=delfi,dc=net"
by anonymous =rcxd
it would be better if that can be done by dynamic group lookup via acl.
as i see it, there shoould be acl stating if access to
uid=.+,ou=People,dc=example,dc=net is attempted,
it is checked first that it is not "member" of cn=Hidden
and if it's member, access to entry is denied. however i'm unable to
complete such acl rule
i have read manual, and tried to experiment, but i can't make up such
dynamic configuration. any help from the list?