Quoting Quanah Gibson-Mount quanah@zimbra.com:
Unfortunately sets aren't fully documented, so I can't say.
It's been a full decade since Mark Valence introduced us to sets, which is sad, because it is said to be so useful. You know, I wouldn't mind helping out with writing that documentation for the project... as long I would have someone with enough knowledge of the subject to collaborate with.
I would note that I'd personally just create a group for the IT managers, and then do access based off the group...
Sure, but since this is actually a purely theoretical question, that would be missing the point. An old friend of mine from NIU, a directory specialist who works with eDir (and MAD, which he doesn't think much of), inspired me. He doesn't know much about OpenLDAP, but he has seen some things and it was this particular bit of functionality that made a lasting impression on him. He believes it's a technical advantage that OpenLDAP has over the competition. I imagine that it would scratch an itch that he is currently unable to reach.
Anyway, these are my current ACLs in full (using Kerberos for authentication):
access to attrs=userPassword,shadowLastChange by * none
access to dn.base="" by * read
access to attrs=loginShell by self write by * read
access to attrs=telephoneNumber by set.exact="user/title=telephonemanager" write
#access to attrs=telephoneNumber # by dn=uid=tmgr,ou=users,dc=example,dc=com write
access to * by anonymous auth by users read by * none
Using the above ACLs and uid=tmgr, which has "title: telephonemanager", if I attempt to modify the telephoneNumber of another user, I receive the error:
ldap_modify: Insufficient access (50)
However, if I uncomment the second to last access directive and comment out the one above it, then I can make that same modification without any problem.
If you or anyone else has an idea what might be preventing this "set" filter from working, I'd be much obliged.
Thanks,
Jaap