On Tue, Dec 09, 2014 at 04:02:42PM +0100, Michael Ströder wrote:
You should be more clear. Really two separate attributes or two
attribute values? Why can't you just use two different ACLs? It's still not
clear to me.
Because I would like to allow/deny some values of first attribute
depending on values of the second. e.g.: foo cannot be set to X
if bar is set.
If I use two ACL, I understand I am testing the new foo value against
existing bar values: if the modify operation replace both foo and bar,
I cannot enforce my rule.