I'm trying to get access control for writing to groups as automated as possible, in as much as I would like LDAP to be able to determine who is able to write based on other attributes.
I've been able to successfully do this if I only need to grant access to one or a few individuals, by specifying their DN as a value to an attribute, and then using this ACL:
add: olcAccess
olcAccess: {2}to dn.sub="ou=groups,dc=example,dc=com" by dnattr="owner" write by users read by * none
That works really well - I just add the owner attribute to an object, specify the owner's DN and they can then write to the object.
However, for larger scale permissions, I need to be able to use the membership of a group. Now I've read http://www.openldap.org/faq/data/cache/52.html and seen that you can specify:
access to <what> by group/<objectclass>/<attributename>=<DN> <access>
However, that would require me to explicitly set the DN of the group in the access control itself.
What I want/need to be able to do is for LDAP to read the DN of the group that has permission, in the same what that it does with dnattr. I thought that I had read something about this being possible with sets, but slapd.access says that "The statement set=<pattern> is undocumented yet." so I'm not clear if that is the most appropriate way to proceed.
Can someone please advise on how this might be accomplished?
Thanks.
Philip