HI!
Is it possible to specify the <what> clause in an ACL with a set?
We have several applications and for each application there's a specific AUXILIARY object class for application-specific user attributes.
So for each application I add ACLs like this:
access to dn.onelevel="ou=Users,dc=example,dc=org" attrs=@app1User by dn.subtree="cn=app1,ou=Systems,dc=example,dc=org" read by * break
Obviously I'd like to have one ACL which references an attribute specifying the auxiliary object class in the app's system entry. Is that possible?
Ciao, Michael.
HI!
Is it possible to specify the <what> clause in an ACL with a set?
No.
We have several applications and for each application there's a specific AUXILIARY object class for application-specific user attributes.
So for each application I add ACLs like this:
access to dn.onelevel="ou=Users,dc=example,dc=org" attrs=@app1User by dn.subtree="cn=app1,ou=Systems,dc=example,dc=org" read by * break
Obviously I'd like to have one ACL which references an attribute specifying the auxiliary object class in the app's system entry. Is that possible?
I'm not sure I understand your question: is it that you would like to have something like
attrs=<attr>
with <attr> depending on the contents of the entry, or of another entry resulting from the evaluation of some expression?
p.
masarati@aero.polimi.it wrote:
Is it possible to specify the<what> clause in an ACL with a set?
No.
We have several applications and for each application there's a specific AUXILIARY object class for application-specific user attributes.
So for each application I add ACLs like this:
access to dn.onelevel="ou=Users,dc=example,dc=org" attrs=@app1User by dn.subtree="cn=app1,ou=Systems,dc=example,dc=org" read by * break
Obviously I'd like to have one ACL which references an attribute specifying the auxiliary object class in the app's system entry. Is that possible?
I'm not sure I understand your question: is it that you would like to have something like
attrs=<attr>with<attr> depending on the contents of the entry, or of another entry resulting from the evaluation of some expression?
Yes, exactly. Preferrably with <attr> being the object class form prefixed with @. The name of the object class should be read from an attribute in the accompanying system user entry (referenced as user in set-syntax).
Ciao, Michael.
masarati@aero.polimi.it wrote:
Is it possible to specify the<what> clause in an ACL with a set?
No.
We have several applications and for each application there's a specific AUXILIARY object class for application-specific user attributes.
So for each application I add ACLs like this:
access to dn.onelevel="ou=Users,dc=example,dc=org" attrs=@app1User by dn.subtree="cn=app1,ou=Systems,dc=example,dc=org" read by * break
Obviously I'd like to have one ACL which references an attribute specifying the auxiliary object class in the app's system entry. Is that possible?
I'm not sure I understand your question: is it that you would like to have something like
attrs=<attr>with<attr> depending on the contents of the entry, or of another entry resulting from the evaluation of some expression?
Yes, exactly. Preferrably with <attr> being the object class form prefixed with @. The name of the object class should be read from an attribute in the accompanying system user entry (referenced as user in set-syntax).
OK, I confirm the no. Perhaps this could be implemented as a style of "attrs", something like
attrs.set="@user/myAttr"
or something like that?
p.
openldap-technical@openldap.org
-
masarati@aero.polimi.it -
Michael Ströder