Hi,
I've been reading the slapd.access back and forth a few times in search for a way to make an ACL, which defines read (and only read) access to a whole subtree in the DIT based on the value of an attribute of the subtree root node.
I've found out how to do it for a named user by defining a group attribute on the node like this:
olcAccess: {2}to dn.regex="^.+,o=([^,]+),dc=example,dc=com" by group/NamedObject/denied.expand="o=$1,dc=example,dc=com" read by * +0 break
But this only denies the named DNs write access. What I want to to deny everybody write access to everything below the o=$1 RDN.
Conceptually I would also imagine, that this would belong in the <WHAT> clause of the ACL and not in the <WHO> clause, but I can't find any mechanism to do stuff like:
access to dn.<which-have-attr-set-to-readonly>.children by * read
What is the text-book way to do this?
regards, Peter