masarati@aero.polimi.it wrote:
Is it possible to specify the<what> clause in an ACL with a set?
No.
We have several applications and for each application there's a specific AUXILIARY object class for application-specific user attributes.
So for each application I add ACLs like this:
access to dn.onelevel="ou=Users,dc=example,dc=org" attrs=@app1User by dn.subtree="cn=app1,ou=Systems,dc=example,dc=org" read by * break
Obviously I'd like to have one ACL which references an attribute specifying the auxiliary object class in the app's system entry. Is that possible?
I'm not sure I understand your question: is it that you would like to have something like
attrs=<attr>
with<attr> depending on the contents of the entry, or of another entry resulting from the evaluation of some expression?
Yes, exactly. Preferrably with <attr> being the object class form prefixed with @. The name of the object class should be read from an attribute in the accompanying system user entry (referenced as user in set-syntax).
OK, I confirm the no. Perhaps this could be implemented as a style of "attrs", something like
attrs.set="@user/myAttr"
or something like that?
p.