hi

the goal is to make some users hidden from part of the ldap tree from Apache, as Apache mod_ldap requires only one entry to be returned for anonymous search it performs. there can be duplicates in the same ldap directory, like, for example there's another uid=glen present

the tree looks like this:

+- dc=example,dc=net +- cn=Manager +- ou=People +- uid=glen +- ou=Basement +- uid=glen +- ou=Groups +- cn=Hidden Users +- member: uid=glen,ou=People,dc=example,dc=net

in what ou=Basement,ou=People,dc=example,dc=net is filled by "database ldap", and it causes duplicate uid entries in the directory (unavoidable)

so far i have just static acl that is working:

access to dn.regex="uid=(glen|somebody-else),ou=People,dc=delfi,dc=net" attrs=uid by anonymous =rcxd

it would be better if that can be done by dynamic group lookup via acl. as i see it, there shoould be acl stating if access to uid=.+,ou=People,dc=example,dc=net is attempted, it is checked first that it is not "member" of cn=Hidden Users,ou=Groups,dc=example,dc=net and if it's member, access to entry is denied. however i'm unable to complete such acl rule

i have read manual, and tried to experiment, but i can't make up such dynamic configuration. any help from the list?