Gavin Henry wrote:
is there a possibility to create an acl statement that grants access to any (unknown) value of an attribute but denys access to all values of the same attribute?
Can you explain that again?
BTW: Your answer didn't find its way into the openldap-technical archive: http://www.openldap.org/lists/openldap-technical/201208/threads.html
Nevertheless, please let me
Yes, sorry. There was an email issue today.
So you mean the attribute should always be present?
That is normally part of the objectClass definition, ie MUST.
I can't think of a way to do it with ACLs. Anyone else?
That's got me thinking. What if you have dynamic group based ACLs, based on say 'o' and the owner of the entry has self write. They could add another 'o' attribute putting themselves into an additional group (depending on the objectclass)? I suppose you just make that attribute read only.
Gavin.