Quoting Dieter Kluenter dieter@dkluenter.de:
this rule should do the trick: access to dn.regex="cn=([^,]+),ou=whatsoever$" attrs=telephoneNumber by set="user/title & [telephoneManager]" write
Yes!!!
This is what I'm using now:
access to attrs=telephoneNumber by set="user/title & [telephonemanager]" write by users read
This works for a user with attr title=telephonemanager. However, to demonstrate the flexibility of this set rule...
access to attrs=telephoneNumber by set="user/description & [telephonemanager]" write by users read
... this works for a user with attr description=telephonemanager!
This is cool regardless, but I think my NIU-friend would say that it's cool because this set rule allows you to give users telephonemanager privileges without the need to maintain a telephonemanager group.
Actually, I think this solution can be improved upon significantly. For example, what if our privileged user had this attribute:
description: titlemanager telephonemanager addressmanager
Can a a set rule be devised to match not only users with a description value that equals "telephonemanager", but also one that includes it in a longer string? We would need something like:
access to attrs=telephoneNumber by set="user/description & [*telephonemanager*]" write by users read
Only, that doesn't work.
Is this possible?
Many thinks,
Jaap