manu@netbsd.org (Emmanuel Dreyfus) wrote:
Replying to myself:
Reading latest code from git, I can tell that there is no way to craft an ACL using val for multiple attributes. Such a concept is difficult to specify anyway: if I imagine something like this: access to attrs=foo val.regex="^(.*)$" attrs=bar val.regex="^(.*)$"
We can immagine we find foo's new value in ${v1} and bar's new value in ${v2}, but ${v0} remains difficult to define. And then there is the problem of how to handle multivalued attributes.
I came to the conclusion that this is not The Right Way of doing it, hence I had another idea: I could use an overlay that creates dynamic attributes based on other attribute's values. Some kind of buz = printf("%s-%s", foo, bar) functionnality and use val.regex against this buz dynamic attribute.
Questions
- Does it already exist? Perhaps slapo-rwm is able to do something like
this?
As documented in its manpage, slapo-rwm only rewrites DN-valued attributes.
- If not then I could implement it, but how feasible is it? Are
overlays able to tweak an add or modify request, to add an attribute before it hits the ACL layer?
Sure.
Emmanuel Dreyfus manu@netbsd.org wrote:
In ACL, the attrs=foo val.regex="^(.*)$" construct allows filtering on the new value for an attribute.
Using sets in the who clauses this new value can be matched as ${v0} against current attributes values. But what about if we want to match against another new attribute value? I currently run 2.4.33, and there is no way to have multiple attrs=foo val.regex="^(.*)$" statements in the what clause. Has this changed in later releases? Or is there another way of doing it?