Replying to myself: Reading latest code from git, I can tell that there is no way to craft an ACL using val for multiple attributes. Such a concept is difficult to specify anyway: if I imagine something like this: access to attrs=foo val.regex="^(.*)$" attrs=bar val.regex="^(.*)$" We can immagine we find foo's new value in ${v1} and bar's new value in ${v2}, but ${v0} remains difficult to define. And then there is the problem of how to handle multivalued attributes. I came to the conclusion that this is not The Right Way of doing it, hence I had another idea: I could use an overlay that creates dynamic attributes based on other attribute's values. Some kind of buz = printf("%s-%s", foo, bar) functionnality and use val.regex against this buz dynamic attribute. Questions 1) Does it already exist? Perhaps slapo-rwm is able to do something like this? 2) If not then I could implement it, but how feasible is it? Are overlays able to tweak an add or modify request, to add an attribute before it hits the ACL layer? Emmanuel Dreyfus <manu(a)netbsd.org&gt; wrote: > In ACL, the attrs=foo val.regex="^(.*)$" construct allows filtering on > the new value for an attribute. > > Using sets in the who clauses this new value can be matched as ${v0} > against current attributes values. But what about if we want to match > against another new attribute value? I currently run 2.4.33, and there > is no way to have multiple attrs=foo val.regex="^(.*)$" statements in the > what clause. Has this changed in later releases? Or is there another way > of doing it?

On Tue, Dec 09, 2014 at 03:36:25PM +0100, Michael Ströder wrote: > Frankly I don't understand in detail what you want to achieve. Let me try to rephrase. Such ACL construct let me match new foo's values as ${v1} in to rules: access to attrs=foo val="^(.*)$"

Now my problem is that I would want to do this with two attributes.

> But first of all: > Did you set "add_content_acl on" in your slapd.conf (or similar in back-config)? Yes. IIRC I contributed the patch for this option :-)

On Tue, Dec 09, 2014 at 04:02:42PM +0100, Michael Ströder wrote: > You should be more clear. Really two separate attributes or two distinct > attribute values? Why can't you just use two different ACLs? It's still not > clear to me. Because I would like to allow/deny some values of first attribute depending on values of the second. e.g.: foo cannot be set to X if bar is set.

Hello In ACL, the attrs=foo val.regex="^(.*)$" construct allows filtering on the new value for an attribute. Using sets in the who clauses this new value can be matched as ${v0} against current attributes values. But what about if we want to match against another new attribute value? I currently run 2.4.33, and there is no way to have multiple attrs=foo val.regex="^(.*)$" statements in the what clause. Has this changed in later releases?

Or is there another way of doing it?