Hi all,
maybe this is not the right list for this question, in this case I apologize for this post..
I have no idea to define access rules for the following case. Have an LDAP tree like this:
ou=users cn=me ou=data ou=data1, owner=cn=me,ou=users cn=fact1 cn=fact2 ou=data2, owner=cn=somebodyelse,ou=users cn=fact3 cn=fact4
(one line represents one LDAP entry with some of its attributes, the level of indentation represents the tree structure)
The point is the subtree starting at "ou=data1". The root node of this subtree (ou=data1) has an attribute "owner" with a DN of a user account which can be used to bind to the LDAP server (cn=me,ou=users).
Now I want to define, that this specific user has write access to some attributes of cn=fact1,ou=data1 and cn=fact2,ou=data2 etc...
I am searching for a rule like this:
access to "cn=[^,]+,ou=data1,ou=data" attrs="attr1,attr2,attr3" by dnattr="owner of node ou=data1,ou=data" write
Obviously, this dnattr syntax is not valid, but I guess you see what I want. Any ideas how to realize this?
Try
access to dn.children="ou=data1,ou=data" by set="[ou=data1,ou=data]/owner & user" write
p.