Re: dnattr access rule

["Alexandre Garel" <garel.alexandre@agora.msa.fr>]

> oops, i forgot. i'm running 2.1.30 (latest stable on gentoo).
>
>  However, you could better make a groupOfNames or
>
> > groupOfUniqueNames and give that group write access. Works for me ;)
>
>
> well, in my case, one entry from ou=people will be only writable by a
> unique user, so i don't want to write as many ACL rules as ou=people
> entries in slapd.conf, and create a group for each ou=people entry.
> that's why i want to make a generic rule and use dnattr.
>
> actually i want to give access to a certain dn stored in the parent 
> entry, and i believe dnattr is used on the entry i want to access to, 
> and not its parent. so how could i:
>
> 1/ use $1 from dn="^.*cn=([^,]+),ou=people,dc=domain,dc=tld$"
> 2/ look at the seeAlso attribute of $1,ou=people,dc=domain,dc=tld
> 3/ give access to the dn stored in
>
> any hint to make it work please?

I've never experiment but I have seen the set FAQ-O-MATIC 
http://www.openldap.org/faq/data/cache/452.html explaining use of set 
attributes. Just see it as an hint
So you could use a

access to dn="^.*(cn=[^,]+,ou=people,dc=domain,dc=tld)$
by set ="[$1]/seeAlso & user" write
by * none

The set operation is intersection of user dn with dn contained in object 
at $1
If you want to experiment !
Alex.