access to attrs=description val.regex="^/bin/[^f][^s][^h]" by users write by * read
Thanks for the followup, I'll have to play around some more.
(I didn't feel like populating the database with homeDirectory and so), and it worked: users were able to add/delete "/bin/bash", but not "/bin/fsh".
I think what I wanted was subtly different than this though. I need for users who have an existing value of "/bin/fsh" to be prevented from deleting or modifying their entry. The crux of my issue here appears to be that I didn't understand that the val.<type>=<value> constraint is only evaluated on the add portion of an operation, i.e. as a way of controlling possible values you can input. Instead, I thought it was part of the query operation, i.e. this is an ACL applying to a certain attribute under the condition where a certain regular expression applies to the value of the attribute.
The sets notation gave me what I needed.
Thanks!
Mark