Dusty Doris wrote:
Note that, as far as I can tell, "memberOf" is an Active Directory operational attribute that is internally maintained to preserve referential integrity within groups and group members. There's no equivalent in standard track schemas, to my knowledge. You'll need to define your own DN-valued attribute, or, for instance, "hijack" something that may do the trick, e.g. the "seeAlso" attribute, which is already allowed by "person" and descendants, or so.To my knowledge, no, and I don't see it as a reasonable approach. The only thing that gets close to what you mean seems to be "sets", but they essentially lack arbitrary string concatenation capabilities.
If your entry stored the group's DN instead of its common name, things would have been quite straightforward. This is the "memberOf" approach, something like
access to dn.children="ou=users,o=mydomain.com"
by set="user & (this/memberOf)/member" write
That sounds like a good approach. Sets look pretty interesting. I've been reading about them in the FAQs. Still having trouble grasping it, but after some more coffee and a few more reads through I hope I'll get the idea.
I'm not confined to my original approach, so I'll give it a shot with the memberOf approach.
I can file an ITS. I'm still not up to par in understanding sets, so I'llWell, it's a feature request, so you won't get yelled in any case ;) I'm telling you that feature is not there yet, so it's perfectly acceptable to request it.
try to get that figured out first. So I know how to accurately describe
what I am asking for in the ITS.
Cheers, p.
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497