<who> ::= ....
attrpick <attrname>=<regexp with substrings>
userattrmatch <attrname>=<regexp with substrings>
<what> ::= ....
attrpick <attrname>=<regexp with substrings>
targetattrmatch <attrname>=<regexp with substrings>
What we have done, is crossmatched attribute values (including but
not limited to DN) between the user and the target. This will allow
for all
cases i described, yet would not be too hard to process (we don't get
multiple
entry results to search through, just a lot of string matching:)
Examples:
access to targetattrmatch dn=".*$1$"
by attrpick dn="(.*)" write
I just let anyone above any entry have write access to
it's descendants.
Even more powerful would be a mix of this with LDAP
filters (such as proposed in sets?) to be able to say something like
this (sorry. no more BNF:)
access to targetattrmatch dn=".*$1$"
by filterpick (&(dn="(.*)")(objectClass="specialOrgManager")