Nick Milas wrote:
Let me re-phrase: Can we express the following three statements using ONE ACL statement? I haven't been able to find a solution.
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept1)" attrs="attr1,attr2" by group.exact="cn=dept1Admins,ou=Groups,dc=example,dc=com" write [...same with other depts...]
This should work with normal OU names, but I'd feel nervous using it since OU names involving '] ... [' would give an "ACL injection attack":
access to dn.subtree="ou=people,dc=example,dc=com" attrs="attr1,attr2" filter="(ou=dept*)" by set.exact="user & ([cn=] + this/ou + [Admins,ou=Groups,dc=example,dc=com])/member" write
I'd feel safer with the group DN of the admin in an attribute in the entry (here the owner attribute):
access to dn.subtree="ou=people,dc=example,dc=com" attrs="attr1,attr2" filter="(owner=*)" by set.exact="user & this/owner/member" write
OTOH anyone who has access to update the OU or owner attribute can give themselves admin access anyway, so hopefully only admins can do that.