dnattr access rule

Hi,

I need to grant access to an entry (and its children) to another entry of my ldap that is listed in a specific attribute.

I have:

cn=foo,ou=people,dc=domain,dc=tld

This entry has a seeAlso attribute, which contains the DN of a user able to modify it.

seeAlso: uid=bar,ou=users,dc=domain,dc=tld

I want to make uid=bar,ou=users able to modify cn=foo,ou=people and able to add children to it. The following access rule doesn't seem to be right:

access to dn="^.*cn=([^,]+),ou=people,dc=domain,dc=tld$"
	by dnattr=seeAlso write
	by *	none

Can you give me help for this please? Thanks for feedback.

--
--dju`

Follow-Ups:
- Re: dnattr access rule
  - From: Tony Earnshaw <tonye@billy.demon.nl>