Jaap Winius wrote:
Quoting Dieter Kluenterdieter@dkluenter.de:
this rule should do the trick: access to dn.regex="cn=([^,]+),ou=whatsoever$" attrs=telephoneNumber by set="user/title& [telephoneManager]" write
Yes!!!
This is what I'm using now:
access to attrs=telephoneNumber by set="user/title& [telephonemanager]" write by users readThis works for a user with attr title=telephonemanager. However, to demonstrate the flexibility of this set rule...
access to attrs=telephoneNumber by set="user/description& [telephonemanager]" write by users read... this works for a user with attr description=telephonemanager!
This is cool regardless, but I think my NIU-friend would say that it's cool because this set rule allows you to give users telephonemanager privileges without the need to maintain a telephonemanager group.
Actually, I think this solution can be improved upon significantly. For example, what if our privileged user had this attribute:
description: titlemanager telephonemanager addressmanagerCan a a set rule be devised to match not only users with a description value that equals "telephonemanager", but also one that includes it in a longer string? We would need something like:
access to attrs=telephoneNumber by set="user/description& [*telephonemanager*]" write by users readOnly, that doesn't work.
Is this possible?
It is unnecessary. The description attribute is multivalued, just use it correctly.
description: titlemanager description: telephonemanager description: addressmanager
I'll also note that using a set for this purpose is still inferior to using a dynamic group, in terms of performance. Dynamic group evaluations are cached, sets are not.