Re: ACL on new value for two attributes

Replying to myself: Reading latest code from git, I can tell that there is no way to craft an ACL using val for multiple attributes. Such a concept is difficult to specify anyway: if I imagine something like this: access to attrs=foo val.regex="^(.*)$" attrs=bar val.regex="^(.*)$" We can immagine we find foo's new value in ${v1} and bar's new value in ${v2}, but ${v0} remains difficult to define. And then there is the problem of how to handle multivalued attributes. I came to the conclusion that this is not The Right Way of doing it, hence I had another idea: I could use an overlay that creates dynamic attributes based on other attribute's values. Some kind of buz = printf("%s-%s", foo, bar) functionnality and use val.regex against this buz dynamic attribute. Questions 1) Does it already exist? Perhaps slapo-rwm is able to do something like this? 2) If not then I could implement it, but how feasible is it? Are overlays able to tweak an add or modify request, to add an attribute before it hits the ACL layer? Emmanuel Dreyfus <manu(a)netbsd.org&gt; wrote: > In ACL, the attrs=foo val.regex="^(.*)$" construct allows filtering on > the new value for an attribute. > > Using sets in the who clauses this new value can be matched as ${v0} > against current attributes values. But what about if we want to match > against another new attribute value? I currently run 2.4.33, and there > is no way to have multiple attrs=foo val.regex="^(.*)$" statements in the > what clause. Has this changed in later releases? Or is there another way > of doing it?